[T SRU][PATCH] f2fs: sanity check segment count

[Shrirang Bagul]

From: Jin Qian <jinqian at google.com>

F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Signed-off-by: Jin Qian <jinqian at google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk at kernel.org>

This fixes CVE-2017-10662

(backported from commit b9dd46188edc2f0d1f37328637860bb65a771124)
Signed-off-by: Shrirang Bagul <shrirang.bagul at canonical.com>
---
 fs/f2fs/super.c         | 8 ++++++++
 include/linux/f2fs_fs.h | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index bafff72de8e8..c878a4f40f64 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -716,6 +716,14 @@ static int sanity_check_raw_super(struct super_block *sb,
 		f2fs_msg(sb, KERN_INFO, "Invalid log sectors per block");
 		return 1;
 	}
+
+	if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
+		f2fs_msg(sb, KERN_INFO,
+			"Invalid segment count (%u)",
+			le32_to_cpu(raw_super->segment_count));
+		return 1;
+	}
+
 	return 0;
 }
 
diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index bb942f6d5702..4c917ad84d71 100644
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -245,6 +245,12 @@ struct f2fs_nat_block {
 #define SIT_ENTRY_PER_BLOCK (PAGE_CACHE_SIZE / sizeof(struct f2fs_sit_entry))
 
 /*
+ * F2FS uses 4 bytes to represent block address. As a result, supported size of
+ * disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
+ */
+#define F2FS_MAX_SEGMENT       ((16 * 1024 * 1024) / 2)
+
+/*
  * Note that f2fs_sit_entry->vblocks has the following bit-field information.
  * [15:10] : allocation type such as CURSEG_XXXX_TYPE
  * [9:0] : valid block count
-- 
2.11.0