xfs: check sb_agblocks and sb_agblklog when validating superblock

Currently, we don't check sb_agblocks or sb_agblklog when we validate the superblock, which means that we can fuzz garbage values into those values and the mount succeeds. This leads to all sorts of UBSAN warnings in xfs/350 since we can then coerce other parts of xfs into shifting by ridiculously large values. Once we've validated agblocks, make sure the agcount makes sense. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Brian Foster <bfoster@redhat.com>
author: Darrick J. Wong <darrick.wong@oracle.com> 2018-01-16 22:04:09 -0500
committer: Darrick J. Wong <darrick.wong@oracle.com> 2018-01-18 00:00:47 -0500
commit: 4bb73d014785cc55225686f9f46e7192fb59d26b (patch)
tree: c5b2139794cd13ae841dd3b2d04848a35748438c
parent: be78ff0e72778eb4df4aac66edb9e97462bfe00d (diff)
2 files changed, 21 insertions, 0 deletions
diff --git a/fs/xfs/libxfs/xfs_fs.h b/fs/xfs/libxfs/xfs_fs.h
index b90924104596..faf1a4edd618 100644
--- a/fs/xfs/libxfs/xfs_fs.h
+++ b/fs/xfs/libxfs/xfs_fs.h
@@ -233,6 +233,13 @@ typedef struct xfs_fsop_resblks {
 #define XFS_MAX_LOG_BLOCKS      (1024 * 1024ULL)
 #define XFS_MIN_LOG_BYTES       (10 * 1024 * 1024ULL)
+/*
+ * Limits on sb_agblocks/sb_agblklog -- mkfs won't format AGs smaller than
+ * 16MB or larger than 1TB.
+ */
+#define XFS_MIN_AG_BYTES        (1ULL << 24)    /* 16 MB */
+#define XFS_MAX_AG_BYTES        (1ULL << 40)    /* 1 TB */
 /* keep the maximum size under 2^31 by a small amount */
 #define XFS_MAX_LOG_BYTES \
        ((2 * 1024 * 1024 * 1024ULL) - XFS_MIN_LOG_BYTES)
diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c
index 869a2f3f0375..e0c826403c6a 100644
--- a/fs/xfs/libxfs/xfs_sb.c
+++ b/fs/xfs/libxfs/xfs_sb.c
@@ -118,6 +118,9 @@ xfs_mount_validate_sb(
        bool            check_inprogress,
        bool            check_version)
 {
+        u32             agcount = 0;
+        u32             rem;
        if (sbp->sb_magicnum != XFS_SB_MAGIC) {
                xfs_warn(mp, "bad magic number");
                return -EWRONGFS;
@@ -228,6 +231,13 @@ xfs_mount_validate_sb(
                return -EINVAL;
        }
+        /* Compute agcount for this number of dblocks and agblocks */
+        if (sbp->sb_agblocks) {
+                agcount = div_u64_rem(sbp->sb_dblocks, sbp->sb_agblocks, &rem);
+                if (rem)
+                        agcount++;
+        }
        /*
         * More sanity checking.  Most of these were stolen directly from
         * xfs_repair.
@@ -252,6 +262,10 @@ xfs_mount_validate_sb(
            sbp->sb_inodesize != (1 << sbp->sb_inodelog)                ||
            sbp->sb_logsunit > XLOG_MAX_RECORD_BSIZE                    ||
            sbp->sb_inopblock != howmany(sbp->sb_blocksize,sbp->sb_inodesize) ||
+            XFS_FSB_TO_B(mp, sbp->sb_agblocks) < XFS_MIN_AG_BYTES       ||
+            XFS_FSB_TO_B(mp, sbp->sb_agblocks) > XFS_MAX_AG_BYTES       ||
+            sbp->sb_agblklog != xfs_highbit32(sbp->sb_agblocks - 1) + 1 ||
+            agcount == 0 || agcount != sbp->sb_agcount                  ||
            (sbp->sb_blocklog - sbp->sb_inodelog != sbp->sb_inopblog)   ||
            (sbp->sb_rextsize * sbp->sb_blocksize > XFS_MAX_RTEXTSIZE)  ||
            (sbp->sb_rextsize * sbp->sb_blocksize < XFS_MIN_RTEXTSIZE)  ||
author	Darrick J. Wong <darrick.wong@oracle.com>	2018-01-16 22:04:09 -0500
committer	Darrick J. Wong <darrick.wong@oracle.com>	2018-01-18 00:00:47 -0500
commit	4bb73d014785cc55225686f9f46e7192fb59d26b (patch)
tree	c5b2139794cd13ae841dd3b2d04848a35748438c
parent	be78ff0e72778eb4df4aac66edb9e97462bfe00d (diff)