From: "Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>
To: linux-fsdevel@vger.kernel.org
Cc: "Sergei Antonov" <saproj@gmail.com>,
"Vyacheslav Dubeyko" <slava@dubeyko.com>,
"Hin-Tak Leung" <htl10@users.sourceforge.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Christoph Hellwig" <hch@infradead.org>,
"Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>
Subject: [PATCH] hfsplus: fix segfault when deleting all attrs of a file
Date: Fri, 6 Oct 2017 18:52:25 -0300 [thread overview]
Message-ID: <20171006215222.GA4736@debian.home> (raw)
A segmentation fault can be triggered by setting many xattrs to a file
and then deleting it. The number must be high enough for more than one
b-tree node to be needed for storage.
When hfs_brec_remove() is called as part of hfsplus_delete_all_attrs(),
fd->search_key will not be set to any specific value. It does not matter
because we intend to remove all records for a given cnid.
The problem is that hfs_brec_remove() assumes it is being called with
the result of a search by key, not by cnid. The value of search_key may
be used to update the parent nodes. When no appropriate parent record is
found, the result is an out of bounds access.
To fix this, set the value of fd->search_key to the key of the first
record in the node, which is also the key of the corresponding parent
record.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
---
fs/hfsplus/brec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 754fdf8..dfa60cf 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -182,6 +182,9 @@ int hfs_brec_remove(struct hfs_find_data *fd)
tree = fd->tree;
node = fd->bnode;
+
+ /* in case we need to search the parent node */
+ hfs_bnode_read_key(node, fd->search_key, 14);
again:
rec_off = tree->node_size - (fd->record + 2) * 2;
end_off = tree->node_size - (node->num_recs + 1) * 2;
--
2.1.4
next reply other threads:[~2017-10-06 21:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-06 21:52 Ernesto A. Fernández [this message]
2017-10-07 5:03 ` [PATCH] hfsplus: fix segfault when deleting all attrs of a file Viacheslav Dubeyko
2017-10-08 19:46 ` Ernesto A. Fernández
2017-10-09 17:03 ` Viacheslav Dubeyko
2017-10-09 19:59 ` Ernesto A. Fernández
2017-10-10 15:07 ` Viacheslav Dubeyko
2017-10-10 21:39 ` Slava Dubeyko
2017-10-11 4:43 ` Ernesto A. Fernández
[not found] <1676784878.5173672.1507350322487.ref@mail.yahoo.com>
2017-10-07 4:25 ` Hin-Tak Leung
2017-10-08 18:51 ` Ernesto A. Fernández
[not found] <1601904757.6392039.1507492617972.ref@mail.yahoo.com>
2017-10-08 19:56 ` Hin-Tak Leung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171006215222.GA4736@debian.home \
--to=ernesto.mnd.fernandez@gmail.com \
--cc=hch@infradead.org \
--cc=htl10@users.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=saproj@gmail.com \
--cc=slava@dubeyko.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.