diff options
author | Theodore Ts'o <tytso@mit.edu> | 2009-02-17 10:32:40 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-02-20 14:40:28 -0800 |
commit | c04088006f3020401f1744adb0b3b93322c3b402 (patch) | |
tree | 36efd3fdd361e3b1d6958883720c7f0c4f0d8ae5 | |
parent | 81c76c1e3ab5e0de52694289a30eb963b74202a3 (diff) | |
download | lwn-c04088006f3020401f1744adb0b3b93322c3b402.tar.gz lwn-c04088006f3020401f1744adb0b3b93322c3b402.zip |
ext4: Add sanity check to make_indexed_dir
(cherry picked from commit e6b8bc09ba2075cd91fbffefcd2778b1a00bd76f)
Make sure the rec_len field in the '..' entry is sane, lest we overrun
the directory block and cause a kernel oops on a purposefully
corrupted filesystem.
Thanks to Sami Liedes for reporting this bug.
http://bugzilla.kernel.org/show_bug.cgi?id=12430
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | fs/ext4/namei.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index dc0b16af67f1..da94b20d2818 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1372,7 +1372,7 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, struct fake_dirent *fde; blocksize = dir->i_sb->s_blocksize; - dxtrace(printk(KERN_DEBUG "Creating index\n")); + dxtrace(printk(KERN_DEBUG "Creating index: inode %lu\n", dir->i_ino)); retval = ext4_journal_get_write_access(handle, bh); if (retval) { ext4_std_error(dir->i_sb, retval); @@ -1381,6 +1381,20 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, } root = (struct dx_root *) bh->b_data; + /* The 0th block becomes the root, move the dirents out */ + fde = &root->dotdot; + de = (struct ext4_dir_entry_2 *)((char *)fde + + ext4_rec_len_from_disk(fde->rec_len)); + if ((char *) de >= (((char *) root) + blocksize)) { + ext4_error(dir->i_sb, __func__, + "invalid rec_len for '..' in inode %lu", + dir->i_ino); + brelse(bh); + return -EIO; + } + len = ((char *) root) + blocksize - (char *) de; + + /* Allocate new block for the 0th block's dirents */ bh2 = ext4_append(handle, dir, &block, &retval); if (!(bh2)) { brelse(bh); @@ -1389,11 +1403,6 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, EXT4_I(dir)->i_flags |= EXT4_INDEX_FL; data1 = bh2->b_data; - /* The 0th block becomes the root, move the dirents out */ - fde = &root->dotdot; - de = (struct ext4_dir_entry_2 *)((char *)fde + - ext4_rec_len_from_disk(fde->rec_len)); - len = ((char *) root) + blocksize - (char *) de; memcpy (data1, de, len); de = (struct ext4_dir_entry_2 *) data1; top = data1 + len; |