From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> In the recursive verify_da_path call chain, we decide to examine the next upper level if the current entry points past the end of the entries. However, we don't check for a node with zero entries (which should be impossible) so we run right off the end of the da cursor's level array and crash. Found by fuzzing hdr.count in xfs/402. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> --- repair/da_util.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/repair/da_util.c b/repair/da_util.c index a65652f..bca4060 100644 --- a/repair/da_util.c +++ b/repair/da_util.c @@ -526,6 +526,10 @@ verify_da_path( else geo = mp->m_attr_geo; + /* No buffer at this level, tree is corrupt. */ + if (cursor->level[this_level].bp == NULL) + return 1; + /* * index is currently set to point to the entry that * should be processed now in this level. @@ -535,6 +539,10 @@ verify_da_path( btree = M_DIROPS(mp)->node_tree_p(node); M_DIROPS(mp)->node_hdr_from_disk(&nodehdr, node); + /* No entries in this node? Tree is corrupt. */ + if (nodehdr.count == 0) + return 1; + /* * if this block is out of entries, validate this * block and move on to the next block. -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
