Re: [PATCH] reiserfs: check directry items on read from disk

Shreyansh Chouhan <chouhan.shreyansh630@xxxxxxxxx> · Tue, 20 Jul 2021 13:01:25 +0530

Hi,

Just a ping for reviews/merge since there has been no activity on this patch.

Thank you,
Shreyansh Chouhan

On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> 
> While verifying the leaf item that we read from the disk, reiserfs
> doesn't check the directory items, this could cause a crash when we
> read a directory item from the disk that has an invalid deh_location.
> 
> This patch adds a check to the directory items read from the disk that
> does a bounds check on deh_location for the directory entries. Any
> directory entry header with a directory entry offset greater than the
> item length is considered invalid.
> 
> Reported-by: syzbot+c31a48e6702ccb3d64c9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@xxxxxxxxx>
> ---
>  fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
>  1 file changed, 26 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> index 476a7ff49482..ef42729216d1 100644
> --- a/fs/reiserfs/stree.c
> +++ b/fs/reiserfs/stree.c
> @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
>  	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
>  }
>  
> +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> +{
> +	struct reiserfs_de_head *deh;
> +	int i;
> +
> +	deh = B_I_DEH(bh, ih);
> +	for (i = 0; i < ih_entry_count(ih); i++) {
> +		if (deh_location(&deh[i]) > ih_item_len(ih)) {
> +			reiserfs_warning(NULL, "reiserfs-5094",
> +					 "directory entry location seems wrong %h",
> +					 &deh[i]);
> +			return 0;
> +		}
> +	}
> +
> +	return 1;
> +}
> +
>  static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
>  {
>  	struct block_head *blkh;
> @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
>  					 "(second one): %h", ih);
>  			return 0;
>  		}
> -		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> -			reiserfs_warning(NULL, "reiserfs-5093",
> -					 "item entry count seems wrong %h",
> -					 ih);
> -			return 0;
> +		if (is_direntry_le_ih(ih)) {
> +			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> +				reiserfs_warning(NULL, "reiserfs-5093",
> +						 "item entry count seems wrong %h",
> +						 ih);
> +				return 0;
> +			}
> +			return has_valid_deh_location(bh, ih);
>  		}
>  		prev_location = ih_location(ih);
>  	}
> -- 
> 2.31.1
> 