Re: [PATCH 07/10] xfs: xfs_alloc_get_rec should return EFSCORRUPTED for obvious bnobt corruption

Dave Chinner <david@xxxxxxxxxxxxx> · Tue, 5 Jun 2018 09:22:00 +1000

On Sun, Jun 03, 2018 at 09:32:21PM -0700, Darrick J. Wong wrote:
> On Mon, Jun 04, 2018 at 10:14:06AM +1000, Dave Chinner wrote:
> > On Sun, Jun 03, 2018 at 04:23:08PM -0700, Darrick J. Wong wrote:
> > > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> > > 
> > > Return -EFSCORRUPTED when the bnobt/cntbt return obviously corrupt
> > > values, rather than letting them bounce around in the internal code.
> > > 
> > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> > > ---
> > >  fs/xfs/libxfs/xfs_alloc.c |   12 ++++++++----
> > >  1 file changed, 8 insertions(+), 4 deletions(-)
> > > 
> > > 
> > > diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
> > > index dc9dd3805d97..0214a77808d0 100644
> > > --- a/fs/xfs/libxfs/xfs_alloc.c
> > > +++ b/fs/xfs/libxfs/xfs_alloc.c
> > > @@ -231,10 +231,14 @@ xfs_alloc_get_rec(
> > >  	int			error;
> > >  
> > >  	error = xfs_btree_get_rec(cur, &rec, stat);
> > > -	if (!error && *stat == 1) {
> > > -		*bno = be32_to_cpu(rec->alloc.ar_startblock);
> > > -		*len = be32_to_cpu(rec->alloc.ar_blockcount);
> > > -	}
> > > +	if (error || !(*stat))
> > > +		return error;
> > > +	if (rec->alloc.ar_blockcount == 0)
> > > +		return -EFSCORRUPTED;
> > > +
> > > +	*bno = be32_to_cpu(rec->alloc.ar_startblock);
> > > +	*len = be32_to_cpu(rec->alloc.ar_blockcount);
> > 
> > Looks good, but makes me wonder if we should verify that
> > ar_startblock is a valid agbno, and that the extent lies wholly
> > within the AG? That can be another patch, though.
> 
> We probably ought to fix all the _get_rec functions to check that
> they're not returning obviously garbage results.

Yup, because that's exactly what the latest fuzzer images are
tripping over - zero'd and/or invalid allocbt records. I'll
make a pass at converting all the _get_rec functions to bounds check
the records they are asked to convert.

Cheers,

Dave.
-- 
Dave Chinner
david@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html