From: Eric Sandeen <sandeen@redhat.com> Date: Thu, 18 Feb 2010 18:24:53 -0500 Subject: [fs] ext4: avoid divide by 0 when mounting corrupted fs Message-id: <4B7D85F5.9030008@redhat.com> Patchwork-id: 23349 O-Subject: [PATCH RHEL5] ext4: avoid divide by zero when trying to mount a corrupted file system Bugzilla: 547253 RH-Acked-by: Josef Bacik <josef@redhat.com> RH-Acked-by: Jarod Wilson <jarod@redhat.com> RH-Acked-by: Anton Arapov <Anton@redhat.com> This is for bug 547253 / CVE-2009-4307 kernel: ext4: avoid divide by zero when trying to mount a corrupted file system Upstream patch follows. Thanks, -Eric commit 503358ae01b70ce6909d19dd01287093f6b6271c Author: Theodore Ts'o <tytso@mit.edu> Date: Mon Nov 23 07:24:46 2009 -0500 ext4: avoid divide by zero when trying to mount a corrupted file system If s_log_groups_per_flex is greater than 31, then groups_per_flex will will overflow and cause a divide by zero error. This can cause kernel BUG if such a file system is mounted. Thanks to Nageswara R Sastry for analyzing the failure and providing an initial patch. http://bugzilla.kernel.org/show_bug.cgi?id=14287 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: stable@kernel.org diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 939244e..0c7c35c 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1685,14 +1685,14 @@ static int ext4_fill_flex_info(struct super_block *sb) size_t size; int i; - if (!sbi->s_es->s_log_groups_per_flex) { + sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; + groups_per_flex = 1 << sbi->s_log_groups_per_flex; + + if (groups_per_flex < 2) { sbi->s_log_groups_per_flex = 0; return 1; } - sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; - groups_per_flex = 1 << sbi->s_log_groups_per_flex; - /* We allocate both existing and potentially added groups */ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) + ((le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) + 1) <<