On 4/17/18 9:47 PM, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > In the recursive verify_da_path call chain, we decide to examine the > next upper level if the current entry points past the end of the > entries. However, we don't check for a node with zero entries (which > should be impossible) so we run right off the end of the da cursor's > level array and crash. Found by fuzzing hdr.count in xfs/402. > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Reviewed-by: Eric Sandeen <sandeen@xxxxxxxxxx> > --- > repair/da_util.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > > diff --git a/repair/da_util.c b/repair/da_util.c > index a65652f..bca4060 100644 > --- a/repair/da_util.c > +++ b/repair/da_util.c > @@ -526,6 +526,10 @@ verify_da_path( > else > geo = mp->m_attr_geo; > > + /* No buffer at this level, tree is corrupt. */ > + if (cursor->level[this_level].bp == NULL) > + return 1; > + > /* > * index is currently set to point to the entry that > * should be processed now in this level. > @@ -535,6 +539,10 @@ verify_da_path( > btree = M_DIROPS(mp)->node_tree_p(node); > M_DIROPS(mp)->node_hdr_from_disk(&nodehdr, node); > > + /* No entries in this node? Tree is corrupt. */ > + if (nodehdr.count == 0) > + return 1; > + > /* > * if this block is out of entries, validate this > * block and move on to the next block. > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
