mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH] minix: avoid overflow in bitmap block count calculation
@ 2026-06-17 21:57 Michael Bommarito
  2026-06-18  7:28 ` Jan Kara
  0 siblings, 1 reply; 2+ messages in thread
From: Michael Bommarito @ 2026-06-17 21:57 UTC (permalink / raw)
  To: Jan Kara, Christian Brauner; +Cc: linux-fsdevel, linux-kernel

minix_check_superblock() uses minix_blocks_needed() to verify that the
on-disk imap and zmap block counts are large enough for the advertised
inode and zone counts.

The helper currently performs DIV_ROUND_UP() in unsigned int arithmetic.
A Minix v3 image can set s_ninodes or s_zones near UINT_MAX so the
addition inside DIV_ROUND_UP() wraps to zero. That makes a zero imap/zmap
block count look valid, after which minix_fill_super() can dereference
s_imap[0] or s_zmap[0] even though no bitmap buffers were allocated.

Impact: mounting a crafted Minix v3 image whose s_ninodes or s_zones is
near UINT_MAX makes minix_check_superblock() accept a zero bitmap-block
count and minix_fill_super() dereference s_imap[0]/s_zmap[0], panicking
the kernel.

Calculate the required bitmap block count with 64-bit arithmetic. Return it
as unsigned long to match the superblock fields and local comparison.

Fixes: 8c97a6ddc956 ("minix: Add required sanity checking to minix_check_superblock()")
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Testing: integer overflow (no sanitizer); the oracle is the downstream
NULL/ZERO_SIZE_PTR dereference crash.

Reproduction (UML mount, same crafted image, before/after): a Minix v3
image is crafted with s_ninodes near UINT_MAX so DIV_ROUND_UP(s_ninodes,
blocksize * 8) wraps to zero, then mounted from /dev/ubda by a one-line
init.
  stock:   RIP: minix_fill_super+0x3f6/0x5c3 ; Kernel panic - not syncing:
           Kernel mode fault at addr 0x10 (ZERO_SIZE_PTR deref of
           s_imap[0]); UML exit code 134.
  patched: "MINIX-fs: file system does not have enough imap blocks
           allocated. Refusing to mount." / "bad superblock"; mount
           fails cleanly, no crash.
A KUnit case additionally asserts minix_blocks_needed() no longer wraps
for near-UINT_MAX inputs; both run on stock and patched.

Conditions: CONFIG_MINIX_FS=y and an attacker-supplied Minix image is
mounted (CAP_SYS_ADMIN in the mounting namespace, or a removable-media
automount path). v3 only: s_ninodes/s_zones are 32-bit; the v1/v2 16-bit
fields cannot reach the wrap.

Mitigations: do not mount untrusted Minix images; most distributions do
not enable CONFIG_MINIX_FS. No sysctl toggle.

Harness (init script, crafted image, KUnit) available on request.

 fs/minix/minix.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index f2025c9b58252..8dc83f80bd768 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -95,9 +95,10 @@ static inline struct minix_inode_info *minix_i(struct inode *inode)
 	return container_of(inode, struct minix_inode_info, vfs_inode);
 }
 
-static inline unsigned minix_blocks_needed(unsigned bits, unsigned blocksize)
+static inline unsigned long minix_blocks_needed(unsigned long bits,
+						unsigned int blocksize)
 {
-	return DIV_ROUND_UP(bits, blocksize * 8);
+	return DIV_ROUND_UP_ULL(bits, blocksize * 8);
 }
 
 #if defined(CONFIG_MINIX_FS_NATIVE_ENDIAN) && \
-- 
2.53.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] minix: avoid overflow in bitmap block count calculation
  2026-06-17 21:57 [PATCH] minix: avoid overflow in bitmap block count calculation Michael Bommarito
@ 2026-06-18  7:28 ` Jan Kara
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Kara @ 2026-06-18  7:28 UTC (permalink / raw)
  To: Michael Bommarito
  Cc: Jan Kara, Christian Brauner, linux-fsdevel, linux-kernel

On Wed 17-06-26 17:57:40, Michael Bommarito wrote:
> minix_check_superblock() uses minix_blocks_needed() to verify that the
> on-disk imap and zmap block counts are large enough for the advertised
> inode and zone counts.
> 
> The helper currently performs DIV_ROUND_UP() in unsigned int arithmetic.
> A Minix v3 image can set s_ninodes or s_zones near UINT_MAX so the
> addition inside DIV_ROUND_UP() wraps to zero. That makes a zero imap/zmap
> block count look valid, after which minix_fill_super() can dereference
> s_imap[0] or s_zmap[0] even though no bitmap buffers were allocated.
> 
> Impact: mounting a crafted Minix v3 image whose s_ninodes or s_zones is
> near UINT_MAX makes minix_check_superblock() accept a zero bitmap-block
> count and minix_fill_super() dereference s_imap[0]/s_zmap[0], panicking
> the kernel.
> 
> Calculate the required bitmap block count with 64-bit arithmetic. Return it
> as unsigned long to match the superblock fields and local comparison.
> 
> Fixes: 8c97a6ddc956 ("minix: Add required sanity checking to minix_check_superblock()")
> Assisted-by: Codex:gpt-5-5-xhigh
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>

Hum, I think this is what DIV_ROUND_UP_POW2() was invented for so using
that might be more obvious?

								Honza

> ---
> Testing: integer overflow (no sanitizer); the oracle is the downstream
> NULL/ZERO_SIZE_PTR dereference crash.
> 
> Reproduction (UML mount, same crafted image, before/after): a Minix v3
> image is crafted with s_ninodes near UINT_MAX so DIV_ROUND_UP(s_ninodes,
> blocksize * 8) wraps to zero, then mounted from /dev/ubda by a one-line
> init.
>   stock:   RIP: minix_fill_super+0x3f6/0x5c3 ; Kernel panic - not syncing:
>            Kernel mode fault at addr 0x10 (ZERO_SIZE_PTR deref of
>            s_imap[0]); UML exit code 134.
>   patched: "MINIX-fs: file system does not have enough imap blocks
>            allocated. Refusing to mount." / "bad superblock"; mount
>            fails cleanly, no crash.
> A KUnit case additionally asserts minix_blocks_needed() no longer wraps
> for near-UINT_MAX inputs; both run on stock and patched.
> 
> Conditions: CONFIG_MINIX_FS=y and an attacker-supplied Minix image is
> mounted (CAP_SYS_ADMIN in the mounting namespace, or a removable-media
> automount path). v3 only: s_ninodes/s_zones are 32-bit; the v1/v2 16-bit
> fields cannot reach the wrap.
> 
> Mitigations: do not mount untrusted Minix images; most distributions do
> not enable CONFIG_MINIX_FS. No sysctl toggle.
> 
> Harness (init script, crafted image, KUnit) available on request.
> 
>  fs/minix/minix.h | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/minix/minix.h b/fs/minix/minix.h
> index f2025c9b58252..8dc83f80bd768 100644
> --- a/fs/minix/minix.h
> +++ b/fs/minix/minix.h
> @@ -95,9 +95,10 @@ static inline struct minix_inode_info *minix_i(struct inode *inode)
>  	return container_of(inode, struct minix_inode_info, vfs_inode);
>  }
>  
> -static inline unsigned minix_blocks_needed(unsigned bits, unsigned blocksize)
> +static inline unsigned long minix_blocks_needed(unsigned long bits,
> +						unsigned int blocksize)
>  {
> -	return DIV_ROUND_UP(bits, blocksize * 8);
> +	return DIV_ROUND_UP_ULL(bits, blocksize * 8);
>  }
>  
>  #if defined(CONFIG_MINIX_FS_NATIVE_ENDIAN) && \
> -- 
> 2.53.0
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-18  7:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-17 21:57 [PATCH] minix: avoid overflow in bitmap block count calculation Michael Bommarito
2026-06-18  7:28 ` Jan Kara

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox