On Mon, Jul 26, 2021 at 10:20:50AM +0200, Jan Kara wrote:
> Hello!
>
> On Tue 20-07-21 13:01:25, Shreyansh Chouhan wrote:
> > Just a ping for reviews/merge since there has been no activity on this patch.
>
> The patch is already in my tree and included in linux-next. I wanted to
> send it to Linus before going on vacation but somehow that slipped through.
> I'll send it to Linus this week with other fixes I have accumulated. I'm
> sorry for the delay.
>
No worries, also thanks a lot for the merge!
Regards,
Shreyansh Chouhan
> Honza
>
> > On Fri, Jul 09, 2021 at 08:59:29PM +0530, Shreyansh Chouhan wrote:
> > >
> > > While verifying the leaf item that we read from the disk, reiserfs
> > > doesn't check the directory items, this could cause a crash when we
> > > read a directory item from the disk that has an invalid deh_location.
> > >
> > > This patch adds a check to the directory items read from the disk that
> > > does a bounds check on deh_location for the directory entries. Any
> > > directory entry header with a directory entry offset greater than the
> > > item length is considered invalid.
> > >
> > > Reported-by: syzbot+c31a48e6702ccb3d64c9@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@xxxxxxxxx>
> > > ---
> > > fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
> > > 1 file changed, 26 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
> > > index 476a7ff49482..ef42729216d1 100644
> > > --- a/fs/reiserfs/stree.c
> > > +++ b/fs/reiserfs/stree.c
> > > @@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
> > > search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
> > > }
> > >
> > > +static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
> > > +{
> > > + struct reiserfs_de_head *deh;
> > > + int i;
> > > +
> > > + deh = B_I_DEH(bh, ih);
> > > + for (i = 0; i < ih_entry_count(ih); i++) {
> > > + if (deh_location(&deh[i]) > ih_item_len(ih)) {
> > > + reiserfs_warning(NULL, "reiserfs-5094",
> > > + "directory entry location seems wrong %h",
> > > + &deh[i]);
> > > + return 0;
> > > + }
> > > + }
> > > +
> > > + return 1;
> > > +}
> > > +
> > > static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > > {
> > > struct block_head *blkh;
> > > @@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
> > > "(second one): %h", ih);
> > > return 0;
> > > }
> > > - if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
> > > - reiserfs_warning(NULL, "reiserfs-5093",
> > > - "item entry count seems wrong %h",
> > > - ih);
> > > - return 0;
> > > + if (is_direntry_le_ih(ih)) {
> > > + if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
> > > + reiserfs_warning(NULL, "reiserfs-5093",
> > > + "item entry count seems wrong %h",
> > > + ih);
> > > + return 0;
> > > + }
> > > + return has_valid_deh_location(bh, ih);
> > > }
> > > prev_location = ih_location(ih);
> > > }
> > > --
> > > 2.31.1
> > >
> --
> Jan Kara <jack@xxxxxxxx>
> SUSE Labs, CR
