diff options
author | Theodore Ts'o <tytso@mit.edu> | 2009-01-16 11:13:47 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2009-01-16 11:13:47 -0500 |
commit | a21102b55c4f8dfd3adb4a15a34cd62237b46039 (patch) | |
tree | 270f663b46460ee6055073fe862b4ec68ee47bbd | |
parent | e6b8bc09ba2075cd91fbffefcd2778b1a00bd76f (diff) |
ext3: Add sanity check to make_indexed_dir
Make sure the rec_len field in the '..' entry is sane, lest we overrun
the directory block and cause a kernel oops on a purposefully
corrupted filesystem.
This fixes a bug related to a bug originally reported by Sami Liedes
for ext4 at:
http://bugzilla.kernel.org/show_bug.cgi?id=12430
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@kernel.org
-rw-r--r-- | fs/ext3/namei.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c index 69a3d19ca9fd..4db4ffa1edad 100644 --- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c | |||
@@ -1358,7 +1358,7 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, | |||
1358 | struct fake_dirent *fde; | 1358 | struct fake_dirent *fde; |
1359 | 1359 | ||
1360 | blocksize = dir->i_sb->s_blocksize; | 1360 | blocksize = dir->i_sb->s_blocksize; |
1361 | dxtrace(printk("Creating index\n")); | 1361 | dxtrace(printk(KERN_DEBUG "Creating index: inode %lu\n", dir->i_ino)); |
1362 | retval = ext3_journal_get_write_access(handle, bh); | 1362 | retval = ext3_journal_get_write_access(handle, bh); |
1363 | if (retval) { | 1363 | if (retval) { |
1364 | ext3_std_error(dir->i_sb, retval); | 1364 | ext3_std_error(dir->i_sb, retval); |
@@ -1367,6 +1367,19 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, | |||
1367 | } | 1367 | } |
1368 | root = (struct dx_root *) bh->b_data; | 1368 | root = (struct dx_root *) bh->b_data; |
1369 | 1369 | ||
1370 | /* The 0th block becomes the root, move the dirents out */ | ||
1371 | fde = &root->dotdot; | ||
1372 | de = (struct ext3_dir_entry_2 *)((char *)fde + | ||
1373 | ext3_rec_len_from_disk(fde->rec_len)); | ||
1374 | if ((char *) de >= (((char *) root) + blocksize)) { | ||
1375 | ext3_error(dir->i_sb, __func__, | ||
1376 | "invalid rec_len for '..' in inode %lu", | ||
1377 | dir->i_ino); | ||
1378 | brelse(bh); | ||
1379 | return -EIO; | ||
1380 | } | ||
1381 | len = ((char *) root) + blocksize - (char *) de; | ||
1382 | |||
1370 | bh2 = ext3_append (handle, dir, &block, &retval); | 1383 | bh2 = ext3_append (handle, dir, &block, &retval); |
1371 | if (!(bh2)) { | 1384 | if (!(bh2)) { |
1372 | brelse(bh); | 1385 | brelse(bh); |
@@ -1375,11 +1388,6 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry, | |||
1375 | EXT3_I(dir)->i_flags |= EXT3_INDEX_FL; | 1388 | EXT3_I(dir)->i_flags |= EXT3_INDEX_FL; |
1376 | data1 = bh2->b_data; | 1389 | data1 = bh2->b_data; |
1377 | 1390 | ||
1378 | /* The 0th block becomes the root, move the dirents out */ | ||
1379 | fde = &root->dotdot; | ||
1380 | de = (struct ext3_dir_entry_2 *)((char *)fde + | ||
1381 | ext3_rec_len_from_disk(fde->rec_len)); | ||
1382 | len = ((char *) root) + blocksize - (char *) de; | ||
1383 | memcpy (data1, de, len); | 1391 | memcpy (data1, de, len); |
1384 | de = (struct ext3_dir_entry_2 *) data1; | 1392 | de = (struct ext3_dir_entry_2 *) data1; |
1385 | top = data1 + len; | 1393 | top = data1 + len; |