diff options
| author | Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> | 2014-04-03 17:50:31 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-03 19:21:26 -0400 |
| commit | 0ec060d1881a24c270fdf0d6616e33e23a209ef2 (patch) | |
| tree | a4c2d5ca63ffabde64759d2c238773d7114e34b7 | |
| parent | f9f32c44e7016c61f8c60afbe461fbc7d5a6c7cc (diff) | |
nilfs2: verify metadata sizes read from disk
Add code to check sizes of on-disk data of metadata files such as inode
size, segment usage size, DAT entry size, and checkpoint size. Although
these sizes are read from disk, the current implementation doesn't check
them.
If these sizes are not sane on disk, it can cause out-of-range access to
metadata or memory access overrun on metadata block buffers due to
overflow in sundry calculations.
Both lower limit and upper limit of metadata sizes are verified to
prevent these issues.
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Andreas Rohner <andreas.rohner@gmx.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/nilfs2/cpfile.c | 12 | ||||
| -rw-r--r-- | fs/nilfs2/dat.c | 12 | ||||
| -rw-r--r-- | fs/nilfs2/sufile.c | 12 | ||||
| -rw-r--r-- | fs/nilfs2/the_nilfs.c | 10 | ||||
| -rw-r--r-- | include/linux/nilfs2_fs.h | 8 |
5 files changed, 54 insertions, 0 deletions
diff --git a/fs/nilfs2/cpfile.c b/fs/nilfs2/cpfile.c index deaa3d33a0aa..0d58075f34e2 100644 --- a/fs/nilfs2/cpfile.c +++ b/fs/nilfs2/cpfile.c | |||
| @@ -942,6 +942,18 @@ int nilfs_cpfile_read(struct super_block *sb, size_t cpsize, | |||
| 942 | struct inode *cpfile; | 942 | struct inode *cpfile; |
| 943 | int err; | 943 | int err; |
| 944 | 944 | ||
| 945 | if (cpsize > sb->s_blocksize) { | ||
| 946 | printk(KERN_ERR | ||
| 947 | "NILFS: too large checkpoint size: %zu bytes.\n", | ||
| 948 | cpsize); | ||
| 949 | return -EINVAL; | ||
| 950 | } else if (cpsize < NILFS_MIN_CHECKPOINT_SIZE) { | ||
| 951 | printk(KERN_ERR | ||
| 952 | "NILFS: too small checkpoint size: %zu bytes.\n", | ||
| 953 | cpsize); | ||
| 954 | return -EINVAL; | ||
| 955 | } | ||
| 956 | |||
| 945 | cpfile = nilfs_iget_locked(sb, NULL, NILFS_CPFILE_INO); | 957 | cpfile = nilfs_iget_locked(sb, NULL, NILFS_CPFILE_INO); |
| 946 | if (unlikely(!cpfile)) | 958 | if (unlikely(!cpfile)) |
| 947 | return -ENOMEM; | 959 | return -ENOMEM; |
diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c index fa0f80308c2d..0d5fada91191 100644 --- a/fs/nilfs2/dat.c +++ b/fs/nilfs2/dat.c | |||
| @@ -484,6 +484,18 @@ int nilfs_dat_read(struct super_block *sb, size_t entry_size, | |||
| 484 | struct nilfs_dat_info *di; | 484 | struct nilfs_dat_info *di; |
| 485 | int err; | 485 | int err; |
| 486 | 486 | ||
| 487 | if (entry_size > sb->s_blocksize) { | ||
| 488 | printk(KERN_ERR | ||
| 489 | "NILFS: too large DAT entry size: %zu bytes.\n", | ||
| 490 | entry_size); | ||
| 491 | return -EINVAL; | ||
| 492 | } else if (entry_size < NILFS_MIN_DAT_ENTRY_SIZE) { | ||
| 493 | printk(KERN_ERR | ||
| 494 | "NILFS: too small DAT entry size: %zu bytes.\n", | ||
| 495 | entry_size); | ||
| 496 | return -EINVAL; | ||
| 497 | } | ||
| 498 | |||
| 487 | dat = nilfs_iget_locked(sb, NULL, NILFS_DAT_INO); | 499 | dat = nilfs_iget_locked(sb, NULL, NILFS_DAT_INO); |
| 488 | if (unlikely(!dat)) | 500 | if (unlikely(!dat)) |
| 489 | return -ENOMEM; | 501 | return -ENOMEM; |
diff --git a/fs/nilfs2/sufile.c b/fs/nilfs2/sufile.c index 84e384dae663..2a869c35c362 100644 --- a/fs/nilfs2/sufile.c +++ b/fs/nilfs2/sufile.c | |||
| @@ -1169,6 +1169,18 @@ int nilfs_sufile_read(struct super_block *sb, size_t susize, | |||
| 1169 | void *kaddr; | 1169 | void *kaddr; |
| 1170 | int err; | 1170 | int err; |
| 1171 | 1171 | ||
| 1172 | if (susize > sb->s_blocksize) { | ||
| 1173 | printk(KERN_ERR | ||
| 1174 | "NILFS: too large segment usage size: %zu bytes.\n", | ||
| 1175 | susize); | ||
| 1176 | return -EINVAL; | ||
| 1177 | } else if (susize < NILFS_MIN_SEGMENT_USAGE_SIZE) { | ||
| 1178 | printk(KERN_ERR | ||
| 1179 | "NILFS: too small segment usage size: %zu bytes.\n", | ||
| 1180 | susize); | ||
| 1181 | return -EINVAL; | ||
| 1182 | } | ||
| 1183 | |||
| 1172 | sufile = nilfs_iget_locked(sb, NULL, NILFS_SUFILE_INO); | 1184 | sufile = nilfs_iget_locked(sb, NULL, NILFS_SUFILE_INO); |
| 1173 | if (unlikely(!sufile)) | 1185 | if (unlikely(!sufile)) |
| 1174 | return -ENOMEM; | 1186 | return -ENOMEM; |
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c index 94c451ce6d24..8ba8229ba076 100644 --- a/fs/nilfs2/the_nilfs.c +++ b/fs/nilfs2/the_nilfs.c | |||
| @@ -399,6 +399,16 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs, | |||
| 399 | return -EINVAL; | 399 | return -EINVAL; |
| 400 | 400 | ||
| 401 | nilfs->ns_inode_size = le16_to_cpu(sbp->s_inode_size); | 401 | nilfs->ns_inode_size = le16_to_cpu(sbp->s_inode_size); |
| 402 | if (nilfs->ns_inode_size > nilfs->ns_blocksize) { | ||
| 403 | printk(KERN_ERR "NILFS: too large inode size: %d bytes.\n", | ||
| 404 | nilfs->ns_inode_size); | ||
| 405 | return -EINVAL; | ||
| 406 | } else if (nilfs->ns_inode_size < NILFS_MIN_INODE_SIZE) { | ||
| 407 | printk(KERN_ERR "NILFS: too small inode size: %d bytes.\n", | ||
| 408 | nilfs->ns_inode_size); | ||
| 409 | return -EINVAL; | ||
| 410 | } | ||
| 411 | |||
| 402 | nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino); | 412 | nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino); |
| 403 | 413 | ||
| 404 | nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); | 414 | nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); |
diff --git a/include/linux/nilfs2_fs.h b/include/linux/nilfs2_fs.h index 1fb465f9baf2..ff3fea3194c6 100644 --- a/include/linux/nilfs2_fs.h +++ b/include/linux/nilfs2_fs.h | |||
| @@ -82,6 +82,8 @@ struct nilfs_inode { | |||
| 82 | __le32 i_pad; | 82 | __le32 i_pad; |
| 83 | }; | 83 | }; |
| 84 | 84 | ||
| 85 | #define NILFS_MIN_INODE_SIZE 128 | ||
| 86 | |||
| 85 | /** | 87 | /** |
| 86 | * struct nilfs_super_root - structure of super root | 88 | * struct nilfs_super_root - structure of super root |
| 87 | * @sr_sum: check sum | 89 | * @sr_sum: check sum |
| @@ -482,6 +484,8 @@ struct nilfs_dat_entry { | |||
| 482 | __le64 de_rsv; | 484 | __le64 de_rsv; |
| 483 | }; | 485 | }; |
| 484 | 486 | ||
| 487 | #define NILFS_MIN_DAT_ENTRY_SIZE 32 | ||
| 488 | |||
| 485 | /** | 489 | /** |
| 486 | * struct nilfs_snapshot_list - snapshot list | 490 | * struct nilfs_snapshot_list - snapshot list |
| 487 | * @ssl_next: next checkpoint number on snapshot list | 491 | * @ssl_next: next checkpoint number on snapshot list |
| @@ -520,6 +524,8 @@ struct nilfs_checkpoint { | |||
| 520 | struct nilfs_inode cp_ifile_inode; | 524 | struct nilfs_inode cp_ifile_inode; |
| 521 | }; | 525 | }; |
| 522 | 526 | ||
| 527 | #define NILFS_MIN_CHECKPOINT_SIZE (64 + NILFS_MIN_INODE_SIZE) | ||
| 528 | |||
| 523 | /* checkpoint flags */ | 529 | /* checkpoint flags */ |
| 524 | enum { | 530 | enum { |
| 525 | NILFS_CHECKPOINT_SNAPSHOT, | 531 | NILFS_CHECKPOINT_SNAPSHOT, |
| @@ -615,6 +621,8 @@ struct nilfs_segment_usage { | |||
| 615 | __le32 su_flags; | 621 | __le32 su_flags; |
| 616 | }; | 622 | }; |
| 617 | 623 | ||
| 624 | #define NILFS_MIN_SEGMENT_USAGE_SIZE 16 | ||
| 625 | |||
| 618 | /* segment usage flag */ | 626 | /* segment usage flag */ |
| 619 | enum { | 627 | enum { |
| 620 | NILFS_SEGMENT_USAGE_ACTIVE, | 628 | NILFS_SEGMENT_USAGE_ACTIVE, |