[PATCH openEuler-5.10 07/12] ext4: fix check for block being out of directory size

From: Jan Kara jack@suse.cz

mainline inclusion from mainline-v6.1-rc1 commit 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 category: bugfix bugzilla: 186639, https://gitee.com/src-openeuler/kernel/issues/I58WSQ CVE: CVE-2022-1184

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

The check in __ext4_read_dirblock() for block being outside of directory size was wrong because it compared block number against directory size in bytes. Fix it.

Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size") CVE: CVE-2022-1184 CC: stable@vger.kernel.org Signed-off-by: Jan Kara jack@suse.cz Reviewed-by: Lukas Czerner lczerner@redhat.com Link: https://lore.kernel.org/r/20220822114832.1482-1-jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/ext4/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index af237deb5ac3..e704d2489fac 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -125,7 +125,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, struct ext4_dir_entry *dirent; int is_dx_block = 0;

- if (block >= inode->i_size) { + if (block >= inode->i_size >> inode->i_blkbits) { ext4_error_inode(inode, func, line, block, "Attempting to read directory block (%u) that is past i_size (%llu)", block, inode->i_size);