diff options
| author | Darrick J. Wong <darrick.wong@oracle.com> | 2018-09-28 23:40:40 -0400 |
|---|---|---|
| committer | Dave Chinner <david@fromorbit.com> | 2018-09-28 23:40:40 -0400 |
| commit | ae29478766f4c8e16edca6fe1e25d73c47991ebe (patch) | |
| tree | 0e37ce3de3e13f7a2f3c1e00651c25905c70fac6 /fs/xfs/xfs_iops.c | |
| parent | 5b394b2ddf0347bef56e50c69a58773c94343ff3 (diff) | |
xfs: don't crash the vfs on a garbage inline symlink
The VFS routine that calls ->get_link blindly copies whatever's returned
into the user's buffer. If we return a NULL pointer, the vfs will
crash on the null pointer. Therefore, return -EFSCORRUPTED instead of
blowing up the kernel.
[dgc: clean up with hch's suggestions]
Reported-by: wen.xu@gatech.edu
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Diffstat (limited to 'fs/xfs/xfs_iops.c')
| -rw-r--r-- | fs/xfs/xfs_iops.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c index c3e74f9128e8..f48ffd7a8d3e 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c | |||
| @@ -471,8 +471,18 @@ xfs_vn_get_link_inline( | |||
| 471 | struct inode *inode, | 471 | struct inode *inode, |
| 472 | struct delayed_call *done) | 472 | struct delayed_call *done) |
| 473 | { | 473 | { |
| 474 | char *link; | ||
| 475 | |||
| 474 | ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE); | 476 | ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE); |
| 475 | return XFS_I(inode)->i_df.if_u1.if_data; | 477 | |
| 478 | /* | ||
| 479 | * The VFS crashes on a NULL pointer, so return -EFSCORRUPTED if | ||
| 480 | * if_data is junk. | ||
| 481 | */ | ||
| 482 | link = XFS_I(inode)->i_df.if_u1.if_data; | ||
| 483 | if (!link) | ||
| 484 | return ERR_PTR(-EFSCORRUPTED); | ||
| 485 | return link; | ||
| 476 | } | 486 | } |
| 477 | 487 | ||
| 478 | STATIC int | 488 | STATIC int |