[PATCH] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

Next message: Vignesh Raghavendra: "Re: [PATCH v2 3/3] soc: ti: k3-socinfo: Provide reset reason information"
Previous message: Hyungjung Joo: "[PATCH] fs/mbcache: cancel shrink work before destroying the cache"
Next in thread: Christian Brauner: "Re: [PATCH] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hyungjung Joo

Date: Tue Mar 17 2026 - 01:48:43 EST

From: HyungJung Joo <jhj140711@xxxxxxxxx>

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.

Signed-off-by: Hyungjung Joo <jhj140711@xxxxxxxxx>
---
fs/omfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 90ae07c69349..834cae1e6223 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -513,6 +513,12 @@ static int omfs_fill_super(struct super_block *sb, struct fs_context *fc)
goto out_brelse_bh;
}

+ if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+ printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+ sbi->s_sys_blocksize);
+ goto out_brelse_bh;
+ }
+
if (sbi->s_blocksize < sbi->s_sys_blocksize ||
sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
printk(KERN_ERR "omfs: block size (%d) is out of range\n",
--
2.34.1