Hello!
On Tue 20-07-21 13:01:25, Shreyansh Chouhan wrote:
> Just a ping for reviews/merge since there has been no activity on this patch.
The patch is already in my tree and included in linux-next. I wanted to
send it to Linus before going on vacation but somehow that slipped through.
I'll send it to Linus this week with other fixes I have accumulated. I'm
sorry for the delay.
Honza
> On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> >
> > While verifying the leaf item that we read from the disk, reiserfs
> > doesn't check the directory items, this could cause a crash when we
> > read a directory item from the disk that has an invalid deh_location.
> >
> > This patch adds a check to the directory items read from the disk that
> > does a bounds check on deh_location for the directory entries. Any
> > directory entry header with a directory entry offset greater than the
> > item length is considered invalid.
> >
> > Reported-by: syzbot+c31a48e6702ccb3d64c9@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@xxxxxxxxx>
> > ---
> > fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
> > 1 file changed, 26 insertions(+), 5 deletions(-)
> >
> > diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> > index 476a7ff49482..ef42729216d1 100644
> > --- a/fs/reiserfs/stree.c
> > +++ b/fs/reiserfs/stree.c
> > @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
> > search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
> > }
> >
> > +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> > +{
> > + struct reiserfs_de_head *deh;
> > + int i;
> > +
> > + deh = B_I_DEH(bh, ih);
> > + for (i = 0; i < ih_entry_count(ih); i++) {
> > + if (deh_location(&deh[i]) > ih_item_len(ih)) {
> > + reiserfs_warning(NULL, "reiserfs-5094",
> > + "directory entry location seems wrong %h",
> > + &deh[i]);
> > + return 0;
> > + }
> > + }
> > +
> > + return 1;
> > +}
> > +
> > static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > {
> > struct block_head *blkh;
> > @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > "(second one): %h", ih);
> > return 0;
> > }
> > - if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> > - reiserfs_warning(NULL, "reiserfs-5093",
> > - "item entry count seems wrong %h",
> > - ih);
> > - return 0;
> > + if (is_direntry_le_ih(ih)) {
> > + if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> > + reiserfs_warning(NULL, "reiserfs-5093",
> > + "item entry count seems wrong %h",
> > + ih);
> > + return 0;
> > + }
> > + return has_valid_deh_location(bh, ih);
> > }
> > prev_location = ih_location(ih);
> > }
> > --
> > 2.31.1
> >
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
