xfs: validate transaction header length on log recovery

When log recovery hits a new transaction, it copies the transaction
header from the expected location in the log to the in-core structure
using the length from the op record header. This length is validated to
ensure it doesn't exceed the length of the record, but not against the
expected size of a transaction header (and thus the size of the in-core
structure). If the on-disk length is corrupted, the associated memcpy()
can overflow, write to unrelated memory and lead to crashes. This has
been reproduced via filesystem fuzzing.

The code currently handles the possibility that the transaction header
is split across two op records. Neither instance accounts for corruption
where the op record length might be larger than the in-core transaction
header. Update both sites to detect such corruption, warn and return an
error from log recovery. Also add some comments and assert that if the
record is split, the copy of the second portion is less than a full
header. Otherwise, this suggests the copy of the second portion could
have overwritten bits from the first and thus that something could be
wrong.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

1 files changed, 25 insertions, 3 deletions

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 01dd228ca05e..493a8ef146fc 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3380,14 +3380,24 @@ xlog_recover_add_to_cont_trans(
         char                    *ptr, *old_ptr;
         int                     old_len;
 
+        /*
+         * If the transaction is empty, the header was split across this and the
+         * previous record. Copy the rest of the header.
+         */
         if (list_empty(&trans->r_itemq)) {
-                /* finish copying rest of trans header */
+                ASSERT(len < sizeof(struct xfs_trans_header));
+                if (len > sizeof(struct xfs_trans_header)) {
+                        xfs_warn(log->l_mp, "%s: bad header length", __func__);
+                        return -EIO;
+                }
+
                 xlog_recover_add_item(&trans->r_itemq);
                 ptr = (char *)&trans->r_theader +
-                                sizeof(xfs_trans_header_t) - len;
+                                sizeof(struct xfs_trans_header) - len;
                 memcpy(ptr, dp, len);
                 return 0;
         }
+
         /* take the tail entry */
         item = list_entry(trans->r_itemq.prev, xlog_recover_item_t, ri_list);
 
@@ -3436,7 +3446,19 @@ xlog_recover_add_to_trans(
                         ASSERT(0);
                         return -EIO;
                 }
-                if (len == sizeof(xfs_trans_header_t))
+
+                if (len > sizeof(struct xfs_trans_header)) {
+                        xfs_warn(log->l_mp, "%s: bad header length", __func__);
+                        ASSERT(0);
+                        return -EIO;
+                }
+
+                /*
+                 * The transaction header can be arbitrarily split across op
+                 * records. If we don't have the whole thing here, copy what we
+                 * do have and handle the rest in the next record.
+                 */
+                if (len == sizeof(struct xfs_trans_header))
                         xlog_recover_add_item(&trans->r_itemq);
                 memcpy(&trans->r_theader, dp, len);
                 return 0;