Hi Jiri, Jiri Slaby <jslaby@xxxxxxx> writes: > From: Dave Chinner <dchinner@xxxxxxxxxx> > > commit 10616b806d1d7835b1d23b8d75ef638f92cb98b6 upstream. We had this patch applied in two of the Ubuntu kernels (based on 3.2 and 3.5) but we decided to revert it due to bug report: http://bugs.launchpad.net/bugs/1236041 Comment #5 in this bug report refers to another one in sles11 (https://bugzilla.novell.com/show_bug.cgi?id=807471#25) that seems to confirm this patch isn't correct. Cheers, -- Luis > > When _xfs_buf_find is passed an out of range address, it will fail > to find a relevant struct xfs_perag and oops with a null > dereference. This can happen when trying to walk a filesystem with a > metadata inode that has a partially corrupted extent map (i.e. the > block number returned is corrupt, but is otherwise intact) and we > try to read from the corrupted block address. > > In this case, just fail the lookup. If it is readahead being issued, > it will simply not be done, but if it is real read that fails we > will get an error being reported. Ideally this case should result > in an EFSCORRUPTED error being reported, but we cannot return an > error through xfs_buf_read() or xfs_buf_get() so this lookup failure > may result in ENOMEM or EIO errors being reported instead. > > -js: This is a fix for CVE-2013-1819. > > Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx> > Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx> > Reviewed-by: Ben Myers <bpm@xxxxxxx> > Signed-off-by: Ben Myers <bpm@xxxxxxx> > Acked-by: Jeff Mahoney <jeffm@xxxxxxxx> > Signed-off-by: Jiri Slaby <jslaby@xxxxxxx> > --- > fs/xfs/linux-2.6/xfs_buf.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/fs/xfs/linux-2.6/xfs_buf.c b/fs/xfs/linux-2.6/xfs_buf.c > index 5e68099..814de4a 100644 > --- a/fs/xfs/linux-2.6/xfs_buf.c > +++ b/fs/xfs/linux-2.6/xfs_buf.c > @@ -435,6 +435,7 @@ _xfs_buf_find( > struct rb_node **rbp; > struct rb_node *parent; > xfs_buf_t *bp; > + xfs_daddr_t eofs; > > range_base = (ioff << BBSHIFT); > range_length = (isize << BBSHIFT); > @@ -443,6 +444,23 @@ _xfs_buf_find( > ASSERT(!(range_length < (1 << btp->bt_sshift))); > ASSERT(!(range_base & (xfs_off_t)btp->bt_smask)); > > + /* > + * Corrupted block numbers can get through to here, unfortunately, so we > + * have to check that the buffer falls within the filesystem bounds. > + */ > + eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks); > + if (ioff >= eofs) { > + /* > + * XXX (dgc): we should really be returning EFSCORRUPTED here, > + * but none of the higher level infrastructure supports > + * returning a specific error on buffer lookup failures. > + */ > + xfs_alert(btp->bt_mount, > + "%s: Block out of range: block 0x%llx, EOFS 0x%llx ", > + __func__, ioff, eofs); > + return NULL; > + } > + > /* get tree root */ > pag = xfs_perag_get(btp->bt_mount, > xfs_daddr_to_agno(btp->bt_mount, ioff)); -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html