diff options
| author | Bob Copeland <me@bobcopeland.com> | 2008-09-06 17:51:53 -0400 |
|---|---|---|
| committer | Bob Copeland <me@bobcopeland.com> | 2010-07-10 14:37:06 -0400 |
| commit | f068272cb2f134a194b93e94a8e0672bfce48cd8 (patch) | |
| tree | c6a2a67951646eee3d040b732b384fa5c98fe78c /fs | |
| parent | 70d9e384aa7df681cfffd65947af72b22e86690e (diff) | |
omfs: check bounds on block numbers before passing to sb_bread
In case of filesystem corruption, passing unchecked block numbers into
sb_bread can result in an infinite loop in __getblk(). Introduce a wrapper
function omfs_sbread() to check the block numbers and to also perform the
clus_to_blk() scaling.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/omfs/dir.c | 22 | ||||
| -rw-r--r-- | fs/omfs/file.c | 8 | ||||
| -rw-r--r-- | fs/omfs/inode.c | 27 | ||||
| -rw-r--r-- | fs/omfs/omfs.h | 1 |
4 files changed, 29 insertions, 29 deletions
diff --git a/fs/omfs/dir.c b/fs/omfs/dir.c index b42d6241903..393f3f659da 100644 --- a/fs/omfs/dir.c +++ b/fs/omfs/dir.c | |||
| @@ -25,11 +25,10 @@ static struct buffer_head *omfs_get_bucket(struct inode *dir, | |||
| 25 | const char *name, int namelen, int *ofs) | 25 | const char *name, int namelen, int *ofs) |
| 26 | { | 26 | { |
| 27 | int nbuckets = (dir->i_size - OMFS_DIR_START)/8; | 27 | int nbuckets = (dir->i_size - OMFS_DIR_START)/8; |
| 28 | int block = clus_to_blk(OMFS_SB(dir->i_sb), dir->i_ino); | ||
| 29 | int bucket = omfs_hash(name, namelen, nbuckets); | 28 | int bucket = omfs_hash(name, namelen, nbuckets); |
| 30 | 29 | ||
| 31 | *ofs = OMFS_DIR_START + bucket * 8; | 30 | *ofs = OMFS_DIR_START + bucket * 8; |
| 32 | return sb_bread(dir->i_sb, block); | 31 | return omfs_bread(dir->i_sb, dir->i_ino); |
| 33 | } | 32 | } |
| 34 | 33 | ||
| 35 | static struct buffer_head *omfs_scan_list(struct inode *dir, u64 block, | 34 | static struct buffer_head *omfs_scan_list(struct inode *dir, u64 block, |
| @@ -42,8 +41,7 @@ static struct buffer_head *omfs_scan_list(struct inode *dir, u64 block, | |||
| 42 | *prev_block = ~0; | 41 | *prev_block = ~0; |
| 43 | 42 | ||
| 44 | while (block != ~0) { | 43 | while (block != ~0) { |
| 45 | bh = sb_bread(dir->i_sb, | 44 | bh = omfs_bread(dir->i_sb, block); |
| 46 | clus_to_blk(OMFS_SB(dir->i_sb), block)); | ||
| 47 | if (!bh) { | 45 | if (!bh) { |
| 48 | err = -EIO; | 46 | err = -EIO; |
| 49 | goto err; | 47 | goto err; |
| @@ -86,11 +84,10 @@ static struct buffer_head *omfs_find_entry(struct inode *dir, | |||
| 86 | int omfs_make_empty(struct inode *inode, struct super_block *sb) | 84 | int omfs_make_empty(struct inode *inode, struct super_block *sb) |
| 87 | { | 85 | { |
| 88 | struct omfs_sb_info *sbi = OMFS_SB(sb); | 86 | struct omfs_sb_info *sbi = OMFS_SB(sb); |
| 89 | int block = clus_to_blk(sbi, inode->i_ino); | ||
| 90 | struct buffer_head *bh; | 87 | struct buffer_head *bh; |
| 91 | struct omfs_inode *oi; | 88 | struct omfs_inode *oi; |
| 92 | 89 | ||
| 93 | bh = sb_bread(sb, block); | 90 | bh = omfs_bread(sb, inode->i_ino); |
| 94 | if (!bh) | 91 | if (!bh) |
| 95 | return -ENOMEM; | 92 | return -ENOMEM; |
| 96 | 93 | ||
| @@ -134,7 +131,7 @@ static int omfs_add_link(struct dentry *dentry, struct inode *inode) | |||
| 134 | brelse(bh); | 131 | brelse(bh); |
| 135 | 132 | ||
| 136 | /* now set the sibling and parent pointers on the new inode */ | 133 | /* now set the sibling and parent pointers on the new inode */ |
| 137 | bh = sb_bread(dir->i_sb, clus_to_blk(OMFS_SB(dir->i_sb), inode->i_ino)); | 134 | bh = omfs_bread(dir->i_sb, inode->i_ino); |
| 138 | if (!bh) | 135 | if (!bh) |
| 139 | goto out; | 136 | goto out; |
| 140 | 137 | ||
| @@ -190,8 +187,7 @@ static int omfs_delete_entry(struct dentry *dentry) | |||
| 190 | if (prev != ~0) { | 187 | if (prev != ~0) { |
| 191 | /* found in middle of list, get list ptr */ | 188 | /* found in middle of list, get list ptr */ |
| 192 | brelse(bh); | 189 | brelse(bh); |
| 193 | bh = sb_bread(dir->i_sb, | 190 | bh = omfs_bread(dir->i_sb, prev); |
| 194 | clus_to_blk(OMFS_SB(dir->i_sb), prev)); | ||
| 195 | if (!bh) | 191 | if (!bh) |
| 196 | goto out; | 192 | goto out; |
| 197 | 193 | ||
| @@ -224,8 +220,7 @@ static int omfs_dir_is_empty(struct inode *inode) | |||
| 224 | u64 *ptr; | 220 | u64 *ptr; |
| 225 | int i; | 221 | int i; |
| 226 | 222 | ||
| 227 | bh = sb_bread(inode->i_sb, clus_to_blk(OMFS_SB(inode->i_sb), | 223 | bh = omfs_bread(inode->i_sb, inode->i_ino); |
| 228 | inode->i_ino)); | ||
| 229 | 224 | ||
| 230 | if (!bh) | 225 | if (!bh) |
| 231 | return 0; | 226 | return 0; |
| @@ -353,8 +348,7 @@ static int omfs_fill_chain(struct file *filp, void *dirent, filldir_t filldir, | |||
| 353 | 348 | ||
| 354 | /* follow chain in this bucket */ | 349 | /* follow chain in this bucket */ |
| 355 | while (fsblock != ~0) { | 350 | while (fsblock != ~0) { |
| 356 | bh = sb_bread(dir->i_sb, clus_to_blk(OMFS_SB(dir->i_sb), | 351 | bh = omfs_bread(dir->i_sb, fsblock); |
| 357 | fsblock)); | ||
| 358 | if (!bh) | 352 | if (!bh) |
| 359 | goto out; | 353 | goto out; |
| 360 | 354 | ||
| @@ -466,7 +460,7 @@ static int omfs_readdir(struct file *filp, void *dirent, filldir_t filldir) | |||
| 466 | hchain = (filp->f_pos >> 20) - 1; | 460 | hchain = (filp->f_pos >> 20) - 1; |
| 467 | hindex = filp->f_pos & 0xfffff; | 461 | hindex = filp->f_pos & 0xfffff; |
| 468 | 462 | ||
| 469 | bh = sb_bread(dir->i_sb, clus_to_blk(OMFS_SB(dir->i_sb), dir->i_ino)); | 463 | bh = omfs_bread(dir->i_sb, dir->i_ino); |
| 470 | if (!bh) | 464 | if (!bh) |
| 471 | goto out; | 465 | goto out; |
| 472 | 466 | ||
diff --git a/fs/omfs/file.c b/fs/omfs/file.c index 6e7a3291bbe..76bc21b91a8 100644 --- a/fs/omfs/file.c +++ b/fs/omfs/file.c | |||
| @@ -50,7 +50,7 @@ int omfs_shrink_inode(struct inode *inode) | |||
| 50 | if (inode->i_size != 0) | 50 | if (inode->i_size != 0) |
| 51 | goto out; | 51 | goto out; |
| 52 | 52 | ||
| 53 | bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next)); | 53 | bh = omfs_bread(inode->i_sb, next); |
| 54 | if (!bh) | 54 | if (!bh) |
| 55 | goto out; | 55 | goto out; |
| 56 | 56 | ||
| @@ -90,7 +90,7 @@ int omfs_shrink_inode(struct inode *inode) | |||
| 90 | if (next == ~0) | 90 | if (next == ~0) |
| 91 | break; | 91 | break; |
| 92 | 92 | ||
| 93 | bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next)); | 93 | bh = omfs_bread(inode->i_sb, next); |
| 94 | if (!bh) | 94 | if (!bh) |
| 95 | goto out; | 95 | goto out; |
| 96 | oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]); | 96 | oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]); |
| @@ -232,7 +232,7 @@ static int omfs_get_block(struct inode *inode, sector_t block, | |||
| 232 | int remain; | 232 | int remain; |
| 233 | 233 | ||
| 234 | ret = -EIO; | 234 | ret = -EIO; |
| 235 | bh = sb_bread(inode->i_sb, clus_to_blk(sbi, inode->i_ino)); | 235 | bh = omfs_bread(inode->i_sb, inode->i_ino); |
| 236 | if (!bh) | 236 | if (!bh) |
| 237 | goto out; | 237 | goto out; |
| 238 | 238 | ||
| @@ -265,7 +265,7 @@ static int omfs_get_block(struct inode *inode, sector_t block, | |||
| 265 | break; | 265 | break; |
| 266 | 266 | ||
| 267 | brelse(bh); | 267 | brelse(bh); |
| 268 | bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next)); | 268 | bh = omfs_bread(inode->i_sb, next); |
| 269 | if (!bh) | 269 | if (!bh) |
| 270 | goto out; | 270 | goto out; |
| 271 | oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]); | 271 | oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]); |
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c index b5d6380e03f..bd4bf753a63 100644 --- a/fs/omfs/inode.c +++ b/fs/omfs/inode.c | |||
| @@ -19,6 +19,15 @@ MODULE_AUTHOR("Bob Copeland <me@bobcopeland.com>"); | |||
| 19 | MODULE_DESCRIPTION("OMFS (ReplayTV/Karma) Filesystem for Linux"); | 19 | MODULE_DESCRIPTION("OMFS (ReplayTV/Karma) Filesystem for Linux"); |
| 20 | MODULE_LICENSE("GPL"); | 20 | MODULE_LICENSE("GPL"); |
| 21 | 21 | ||
| 22 | struct buffer_head *omfs_bread(struct super_block *sb, sector_t block) | ||
| 23 | { | ||
| 24 | struct omfs_sb_info *sbi = OMFS_SB(sb); | ||
| 25 | if (block >= sbi->s_num_blocks) | ||
| 26 | return NULL; | ||
| 27 | |||
| 28 | return sb_bread(sb, clus_to_blk(sbi, block)); | ||
| 29 | } | ||
| 30 | |||
| 22 | struct inode *omfs_new_inode(struct inode *dir, int mode) | 31 | struct inode *omfs_new_inode(struct inode *dir, int mode) |
| 23 | { | 32 | { |
| 24 | struct inode *inode; | 33 | struct inode *inode; |
| @@ -93,15 +102,13 @@ static int __omfs_write_inode(struct inode *inode, int wait) | |||
| 93 | struct omfs_inode *oi; | 102 | struct omfs_inode *oi; |
| 94 | struct omfs_sb_info *sbi = OMFS_SB(inode->i_sb); | 103 | struct omfs_sb_info *sbi = OMFS_SB(inode->i_sb); |
| 95 | struct buffer_head *bh, *bh2; | 104 | struct buffer_head *bh, *bh2; |
| 96 | unsigned int block; | ||
| 97 | u64 ctime; | 105 | u64 ctime; |
| 98 | int i; | 106 | int i; |
| 99 | int ret = -EIO; | 107 | int ret = -EIO; |
| 100 | int sync_failed = 0; | 108 | int sync_failed = 0; |
| 101 | 109 | ||
| 102 | /* get current inode since we may have written sibling ptrs etc. */ | 110 | /* get current inode since we may have written sibling ptrs etc. */ |
| 103 | block = clus_to_blk(sbi, inode->i_ino); | 111 | bh = omfs_bread(inode->i_sb, inode->i_ino); |
| 104 | bh = sb_bread(inode->i_sb, block); | ||
| 105 | if (!bh) | 112 | if (!bh) |
| 106 | goto out; | 113 | goto out; |
| 107 | 114 | ||
| @@ -140,8 +147,7 @@ static int __omfs_write_inode(struct inode *inode, int wait) | |||
| 140 | 147 | ||
| 141 | /* if mirroring writes, copy to next fsblock */ | 148 | /* if mirroring writes, copy to next fsblock */ |
| 142 | for (i = 1; i < sbi->s_mirrors; i++) { | 149 | for (i = 1; i < sbi->s_mirrors; i++) { |
| 143 | bh2 = sb_bread(inode->i_sb, block + i * | 150 | bh2 = omfs_bread(inode->i_sb, inode->i_ino + i); |
| 144 | (sbi->s_blocksize / sbi->s_sys_blocksize)); | ||
| 145 | if (!bh2) | 151 | if (!bh2) |
| 146 | goto out_brelse; | 152 | goto out_brelse; |
| 147 | 153 | ||
| @@ -193,7 +199,6 @@ struct inode *omfs_iget(struct super_block *sb, ino_t ino) | |||
| 193 | struct omfs_sb_info *sbi = OMFS_SB(sb); | 199 | struct omfs_sb_info *sbi = OMFS_SB(sb); |
| 194 | struct omfs_inode *oi; | 200 | struct omfs_inode *oi; |
| 195 | struct buffer_head *bh; | 201 | struct buffer_head *bh; |
| 196 | unsigned int block; | ||
| 197 | u64 ctime; | 202 | u64 ctime; |
| 198 | unsigned long nsecs; | 203 | unsigned long nsecs; |
| 199 | struct inode *inode; | 204 | struct inode *inode; |
| @@ -204,8 +209,7 @@ struct inode *omfs_iget(struct super_block *sb, ino_t ino) | |||
| 204 | if (!(inode->i_state & I_NEW)) | 209 | if (!(inode->i_state & I_NEW)) |
| 205 | return inode; | 210 | return inode; |
| 206 | 211 | ||
| 207 | block = clus_to_blk(sbi, ino); | 212 | bh = omfs_bread(inode->i_sb, ino); |
| 208 | bh = sb_bread(inode->i_sb, block); | ||
| 209 | if (!bh) | 213 | if (!bh) |
| 210 | goto iget_failed; | 214 | goto iget_failed; |
| 211 | 215 | ||
| @@ -319,6 +323,9 @@ static int omfs_get_imap(struct super_block *sb) | |||
| 319 | goto nomem; | 323 | goto nomem; |
| 320 | 324 | ||
| 321 | block = clus_to_blk(sbi, sbi->s_bitmap_ino); | 325 | block = clus_to_blk(sbi, sbi->s_bitmap_ino); |
| 326 | if (block >= sbi->s_num_blocks) | ||
| 327 | goto nomem; | ||
| 328 | |||
| 322 | ptr = sbi->s_imap; | 329 | ptr = sbi->s_imap; |
| 323 | for (count = bitmap_size; count > 0; count -= sb->s_blocksize) { | 330 | for (count = bitmap_size; count > 0; count -= sb->s_blocksize) { |
| 324 | bh = sb_bread(sb, block++); | 331 | bh = sb_bread(sb, block++); |
| @@ -417,7 +424,6 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent) | |||
| 417 | struct omfs_root_block *omfs_rb; | 424 | struct omfs_root_block *omfs_rb; |
| 418 | struct omfs_sb_info *sbi; | 425 | struct omfs_sb_info *sbi; |
| 419 | struct inode *root; | 426 | struct inode *root; |
| 420 | sector_t start; | ||
| 421 | int ret = -EINVAL; | 427 | int ret = -EINVAL; |
| 422 | 428 | ||
| 423 | save_mount_options(sb, (char *) data); | 429 | save_mount_options(sb, (char *) data); |
| @@ -486,8 +492,7 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent) | |||
| 486 | sbi->s_block_shift = get_bitmask_order(sbi->s_blocksize) - | 492 | sbi->s_block_shift = get_bitmask_order(sbi->s_blocksize) - |
| 487 | get_bitmask_order(sbi->s_sys_blocksize); | 493 | get_bitmask_order(sbi->s_sys_blocksize); |
| 488 | 494 | ||
| 489 | start = clus_to_blk(sbi, be64_to_cpu(omfs_sb->s_root_block)); | 495 | bh2 = omfs_bread(sb, be64_to_cpu(omfs_sb->s_root_block)); |
| 490 | bh2 = sb_bread(sb, start); | ||
| 491 | if (!bh2) | 496 | if (!bh2) |
| 492 | goto out_brelse_bh; | 497 | goto out_brelse_bh; |
| 493 | 498 | ||
diff --git a/fs/omfs/omfs.h b/fs/omfs/omfs.h index ebe2fdbe535..7d414fef501 100644 --- a/fs/omfs/omfs.h +++ b/fs/omfs/omfs.h | |||
| @@ -58,6 +58,7 @@ extern void omfs_make_empty_table(struct buffer_head *bh, int offset); | |||
| 58 | extern int omfs_shrink_inode(struct inode *inode); | 58 | extern int omfs_shrink_inode(struct inode *inode); |
| 59 | 59 | ||
| 60 | /* inode.c */ | 60 | /* inode.c */ |
| 61 | extern struct buffer_head *omfs_bread(struct super_block *sb, sector_t block); | ||
| 61 | extern struct inode *omfs_iget(struct super_block *sb, ino_t inode); | 62 | extern struct inode *omfs_iget(struct super_block *sb, ino_t inode); |
| 62 | extern struct inode *omfs_new_inode(struct inode *dir, int mode); | 63 | extern struct inode *omfs_new_inode(struct inode *dir, int mode); |
| 63 | extern int omfs_reserve_block(struct super_block *sb, sector_t block); | 64 | extern int omfs_reserve_block(struct super_block *sb, sector_t block); |