From: Bae Yeonju <iwasbaeyz@gmail.com>

adfs_read_map() reads the zone count from the on-disk disc record
without validation:

  nzones = dr->nzones | dr->nzones_high << 8;

When nzones is 0, the subsequent kmalloc_array(0, ...) returns
ZERO_SIZE_PTR (0x10), and adfs_map_layout() writes to dm[-1],
causing an out-of-bounds write before the allocated buffer.

This can be triggered by mounting a crafted ADFS filesystem image
with nzones set to 0 in the disc record. It leads to kernel heap
corruption and a NULL pointer dereference during mount.

Add a check to reject disc records with nzones == 0 before the
allocation.

Found by syzkaller.

Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Cc: stable <stable@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Bae Yeonju <iwasbaeyz@gmail.com>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/adfs/map.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/adfs/map.c b/fs/adfs/map.c
index 9d535a2ca2d1..5d671e7b4663 100644
--- a/fs/adfs/map.c
+++ b/fs/adfs/map.c
@@ -361,6 +361,10 @@ struct adfs_discmap *adfs_read_map(struct super_block *sb, struct adfs_discrecor
 	int ret;
 
 	nzones    = dr->nzones | dr->nzones_high << 8;
+	if (nzones == 0) {
+		adfs_error(sb, "invalid zone count");
+		return ERR_PTR(-EINVAL);
+	}
 	zone_size = (8 << dr->log2secsize) - le16_to_cpu(dr->zone_spare);
 
 	asb->s_idlen = dr->idlen;
-- 
2.53.0