On Fri, Jul 21, 2017 at 03:01:22PM -0700, Darrick J. Wong wrote:
> When we're checking the entries in a directory buffer, make sure that
> the entry length doesn't push us off the end of the buffer. Found via
> xfs/388 writing ones to the freetag length field and xfs_repair crashing.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
> fs/xfs/libxfs/xfs_dir2_data.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_dir2_data.c b/fs/xfs/libxfs/xfs_dir2_data.c
> index d478065..8727a43 100644
> --- a/fs/xfs/libxfs/xfs_dir2_data.c
> +++ b/fs/xfs/libxfs/xfs_dir2_data.c
> @@ -136,6 +136,8 @@ __xfs_dir3_data_check(
> */
> if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
> XFS_WANT_CORRUPTED_RETURN(mp, lastfree == 0);
> + XFS_WANT_CORRUPTED_RETURN(mp, endp >=
> + p + be16_to_cpu(dup->length));
FWIW, the rest of the code seems to use the dup/dep pointers for
verification and explicitly casts to char * where necessary. I don't see
that it really matters, so:
Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx>
> XFS_WANT_CORRUPTED_RETURN(mp,
> be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) ==
> (char *)dup - (char *)hdr);
> @@ -164,6 +166,8 @@ __xfs_dir3_data_check(
> XFS_WANT_CORRUPTED_RETURN(mp, dep->namelen != 0);
> XFS_WANT_CORRUPTED_RETURN(mp,
> !xfs_dir_ino_validate(mp, be64_to_cpu(dep->inumber)));
> + XFS_WANT_CORRUPTED_RETURN(mp, endp >=
> + p + ops->data_entsize(dep->namelen));
> XFS_WANT_CORRUPTED_RETURN(mp,
> be16_to_cpu(*ops->data_entry_tag_p(dep)) ==
> (char *)dep - (char *)hdr);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
