omfs: fix oops when file metadata is corrupted
A fuzzed fileystem image failed with OMFS when the extent count was used in a loop without being checked against the max number of extents. It also provoked a signed division for an array index that was checked as if unsigned, leading to index by -1. omfsck will be updated to fix these cases, in the meantime bail out gracefully. Reported-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
c963343a11
commit
9419fc1c95
2 changed files with 29 additions and 9 deletions
|
@ -92,7 +92,7 @@ int omfs_allocate_block(struct super_block *sb, u64 block)
|
||||||
struct buffer_head *bh;
|
struct buffer_head *bh;
|
||||||
struct omfs_sb_info *sbi = OMFS_SB(sb);
|
struct omfs_sb_info *sbi = OMFS_SB(sb);
|
||||||
int bits_per_entry = 8 * sb->s_blocksize;
|
int bits_per_entry = 8 * sb->s_blocksize;
|
||||||
int map, bit;
|
unsigned int map, bit;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
u64 tmp;
|
u64 tmp;
|
||||||
|
|
||||||
|
@ -176,7 +176,8 @@ int omfs_clear_range(struct super_block *sb, u64 block, int count)
|
||||||
struct omfs_sb_info *sbi = OMFS_SB(sb);
|
struct omfs_sb_info *sbi = OMFS_SB(sb);
|
||||||
int bits_per_entry = 8 * sb->s_blocksize;
|
int bits_per_entry = 8 * sb->s_blocksize;
|
||||||
u64 tmp;
|
u64 tmp;
|
||||||
int map, bit, ret;
|
unsigned int map, bit;
|
||||||
|
int ret;
|
||||||
|
|
||||||
tmp = block;
|
tmp = block;
|
||||||
bit = do_div(tmp, bits_per_entry);
|
bit = do_div(tmp, bits_per_entry);
|
||||||
|
|
|
@ -26,6 +26,13 @@ static int omfs_sync_file(struct file *file, struct dentry *dentry,
|
||||||
return err ? -EIO : 0;
|
return err ? -EIO : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static u32 omfs_max_extents(struct omfs_sb_info *sbi, int offset)
|
||||||
|
{
|
||||||
|
return (sbi->s_sys_blocksize - offset -
|
||||||
|
sizeof(struct omfs_extent)) /
|
||||||
|
sizeof(struct omfs_extent_entry) + 1;
|
||||||
|
}
|
||||||
|
|
||||||
void omfs_make_empty_table(struct buffer_head *bh, int offset)
|
void omfs_make_empty_table(struct buffer_head *bh, int offset)
|
||||||
{
|
{
|
||||||
struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
|
struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
|
||||||
|
@ -45,6 +52,7 @@ int omfs_shrink_inode(struct inode *inode)
|
||||||
struct buffer_head *bh;
|
struct buffer_head *bh;
|
||||||
u64 next, last;
|
u64 next, last;
|
||||||
u32 extent_count;
|
u32 extent_count;
|
||||||
|
u32 max_extents;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
/* traverse extent table, freeing each entry that is greater
|
/* traverse extent table, freeing each entry that is greater
|
||||||
|
@ -62,15 +70,18 @@ int omfs_shrink_inode(struct inode *inode)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
|
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
|
||||||
|
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
|
||||||
if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next)) {
|
if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next))
|
||||||
brelse(bh);
|
goto out_brelse;
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
extent_count = be32_to_cpu(oe->e_extent_count);
|
extent_count = be32_to_cpu(oe->e_extent_count);
|
||||||
|
|
||||||
|
if (extent_count > max_extents)
|
||||||
|
goto out_brelse;
|
||||||
|
|
||||||
last = next;
|
last = next;
|
||||||
next = be64_to_cpu(oe->e_next);
|
next = be64_to_cpu(oe->e_next);
|
||||||
entry = &oe->e_entry;
|
entry = &oe->e_entry;
|
||||||
|
@ -98,10 +109,14 @@ int omfs_shrink_inode(struct inode *inode)
|
||||||
if (!bh)
|
if (!bh)
|
||||||
goto out;
|
goto out;
|
||||||
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
|
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
|
||||||
|
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
|
||||||
}
|
}
|
||||||
ret = 0;
|
ret = 0;
|
||||||
out:
|
out:
|
||||||
return ret;
|
return ret;
|
||||||
|
out_brelse:
|
||||||
|
brelse(bh);
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void omfs_truncate(struct inode *inode)
|
static void omfs_truncate(struct inode *inode)
|
||||||
|
@ -154,9 +169,7 @@ static int omfs_grow_extent(struct inode *inode, struct omfs_extent *oe,
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
max_count = (sbi->s_sys_blocksize - OMFS_EXTENT_START -
|
max_count = omfs_max_extents(sbi, OMFS_EXTENT_START);
|
||||||
sizeof(struct omfs_extent)) /
|
|
||||||
sizeof(struct omfs_extent_entry) + 1;
|
|
||||||
|
|
||||||
/* TODO: add a continuation block here */
|
/* TODO: add a continuation block here */
|
||||||
if (be32_to_cpu(oe->e_extent_count) > max_count-1)
|
if (be32_to_cpu(oe->e_extent_count) > max_count-1)
|
||||||
|
@ -225,6 +238,7 @@ static int omfs_get_block(struct inode *inode, sector_t block,
|
||||||
sector_t next, offset;
|
sector_t next, offset;
|
||||||
int ret;
|
int ret;
|
||||||
u64 new_block;
|
u64 new_block;
|
||||||
|
u32 max_extents;
|
||||||
int extent_count;
|
int extent_count;
|
||||||
struct omfs_extent *oe;
|
struct omfs_extent *oe;
|
||||||
struct omfs_extent_entry *entry;
|
struct omfs_extent_entry *entry;
|
||||||
|
@ -238,6 +252,7 @@ static int omfs_get_block(struct inode *inode, sector_t block,
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
|
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
|
||||||
|
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
|
||||||
next = inode->i_ino;
|
next = inode->i_ino;
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
|
@ -249,6 +264,9 @@ static int omfs_get_block(struct inode *inode, sector_t block,
|
||||||
next = be64_to_cpu(oe->e_next);
|
next = be64_to_cpu(oe->e_next);
|
||||||
entry = &oe->e_entry;
|
entry = &oe->e_entry;
|
||||||
|
|
||||||
|
if (extent_count > max_extents)
|
||||||
|
goto out_brelse;
|
||||||
|
|
||||||
offset = find_block(inode, entry, block, extent_count, &remain);
|
offset = find_block(inode, entry, block, extent_count, &remain);
|
||||||
if (offset > 0) {
|
if (offset > 0) {
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
@ -266,6 +284,7 @@ static int omfs_get_block(struct inode *inode, sector_t block,
|
||||||
if (!bh)
|
if (!bh)
|
||||||
goto out;
|
goto out;
|
||||||
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
|
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
|
||||||
|
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
|
||||||
}
|
}
|
||||||
if (create) {
|
if (create) {
|
||||||
ret = omfs_grow_extent(inode, oe, &new_block);
|
ret = omfs_grow_extent(inode, oe, &new_block);
|
||||||
|
|
Loading…
Reference in a new issue