From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, lei lu <llfamsec@gmail.com>,
Heming Zhao <heming.zhao@suse.com>,
Joseph Qi <joseph.qi@linux.alibaba.com>,
Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
Junxiao Bi <junxiao.bi@oracle.com>,
Changwei Ge <gechangwei@live.cn>, Gang He <ghe@suse.com>,
Jun Piao <piaojun@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.1 03/13] ocfs2: add bounds checking to ocfs2_check_dir_entry()
Date: Thu, 25 Jul 2024 16:37:12 +0200 [thread overview]
Message-ID: <20240725142728.162283912@linuxfoundation.org> (raw)
In-Reply-To: <20240725142728.029052310@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: lei lu <llfamsec@gmail.com>
commit 255547c6bb8940a97eea94ef9d464ea5967763fb upstream.
This adds sanity checks for ocfs2_dir_entry to make sure all members of
ocfs2_dir_entry don't stray beyond valid memory region.
Link: https://lkml.kernel.org/r/20240626104433.163270-1-llfamsec@gmail.com
Signed-off-by: lei lu <llfamsec@gmail.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/dir.c | 46 +++++++++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 17 deletions(-)
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -294,13 +294,16 @@ out:
* bh passed here can be an inode block or a dir data block, depending
* on the inode inline data flag.
*/
-static int ocfs2_check_dir_entry(struct inode * dir,
- struct ocfs2_dir_entry * de,
- struct buffer_head * bh,
+static int ocfs2_check_dir_entry(struct inode *dir,
+ struct ocfs2_dir_entry *de,
+ struct buffer_head *bh,
+ char *buf,
+ unsigned int size,
unsigned long offset)
{
const char *error_msg = NULL;
const int rlen = le16_to_cpu(de->rec_len);
+ const unsigned long next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
@@ -308,9 +311,11 @@ static int ocfs2_check_dir_entry(struct
error_msg = "rec_len % 4 != 0";
else if (unlikely(rlen < OCFS2_DIR_REC_LEN(de->name_len)))
error_msg = "rec_len is too small for name_len";
- else if (unlikely(
- ((char *) de - bh->b_data) + rlen > dir->i_sb->s_blocksize))
- error_msg = "directory entry across blocks";
+ else if (unlikely(next_offset > size))
+ error_msg = "directory entry overrun";
+ else if (unlikely(next_offset > size - OCFS2_DIR_REC_LEN(1)) &&
+ next_offset != size)
+ error_msg = "directory entry too close to end";
if (unlikely(error_msg != NULL))
mlog(ML_ERROR, "bad entry in directory #%llu: %s - "
@@ -352,16 +357,17 @@ static inline int ocfs2_search_dirblock(
de_buf = first_de;
dlimit = de_buf + bytes;
- while (de_buf < dlimit) {
+ while (de_buf < dlimit - OCFS2_DIR_MEMBER_LEN) {
/* this code is executed quadratically often */
/* do minimal checking `by hand' */
de = (struct ocfs2_dir_entry *) de_buf;
- if (de_buf + namelen <= dlimit &&
+ if (de->name + namelen <= dlimit &&
ocfs2_match(namelen, name, de)) {
/* found a match - just to be sure, do a full check */
- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) {
+ if (!ocfs2_check_dir_entry(dir, de, bh, first_de,
+ bytes, offset)) {
ret = -1;
goto bail;
}
@@ -1138,7 +1144,7 @@ static int __ocfs2_delete_entry(handle_t
pde = NULL;
de = (struct ocfs2_dir_entry *) first_de;
while (i < bytes) {
- if (!ocfs2_check_dir_entry(dir, de, bh, i)) {
+ if (!ocfs2_check_dir_entry(dir, de, bh, first_de, bytes, i)) {
status = -EIO;
mlog_errno(status);
goto bail;
@@ -1638,7 +1644,8 @@ int __ocfs2_add_entry(handle_t *handle,
/* These checks should've already been passed by the
* prepare function, but I guess we can leave them
* here anyway. */
- if (!ocfs2_check_dir_entry(dir, de, insert_bh, offset)) {
+ if (!ocfs2_check_dir_entry(dir, de, insert_bh, data_start,
+ size, offset)) {
retval = -ENOENT;
goto bail;
}
@@ -1776,7 +1783,8 @@ static int ocfs2_dir_foreach_blk_id(stru
}
de = (struct ocfs2_dir_entry *) (data->id_data + ctx->pos);
- if (!ocfs2_check_dir_entry(inode, de, di_bh, ctx->pos)) {
+ if (!ocfs2_check_dir_entry(inode, de, di_bh, (char *)data->id_data,
+ i_size_read(inode), ctx->pos)) {
/* On error, skip the f_pos to the end. */
ctx->pos = i_size_read(inode);
break;
@@ -1869,7 +1877,8 @@ static int ocfs2_dir_foreach_blk_el(stru
while (ctx->pos < i_size_read(inode)
&& offset < sb->s_blocksize) {
de = (struct ocfs2_dir_entry *) (bh->b_data + offset);
- if (!ocfs2_check_dir_entry(inode, de, bh, offset)) {
+ if (!ocfs2_check_dir_entry(inode, de, bh, bh->b_data,
+ sb->s_blocksize, offset)) {
/* On error, skip the f_pos to the
next block. */
ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;
@@ -3341,7 +3350,7 @@ static int ocfs2_find_dir_space_id(struc
struct super_block *sb = dir->i_sb;
struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
struct ocfs2_dir_entry *de, *last_de = NULL;
- char *de_buf, *limit;
+ char *first_de, *de_buf, *limit;
unsigned long offset = 0;
unsigned int rec_len, new_rec_len, free_space;
@@ -3354,14 +3363,16 @@ static int ocfs2_find_dir_space_id(struc
else
free_space = dir->i_sb->s_blocksize - i_size_read(dir);
- de_buf = di->id2.i_data.id_data;
+ first_de = di->id2.i_data.id_data;
+ de_buf = first_de;
limit = de_buf + i_size_read(dir);
rec_len = OCFS2_DIR_REC_LEN(namelen);
while (de_buf < limit) {
de = (struct ocfs2_dir_entry *)de_buf;
- if (!ocfs2_check_dir_entry(dir, de, di_bh, offset)) {
+ if (!ocfs2_check_dir_entry(dir, de, di_bh, first_de,
+ i_size_read(dir), offset)) {
ret = -ENOENT;
goto out;
}
@@ -3443,7 +3454,8 @@ static int ocfs2_find_dir_space_el(struc
/* move to next block */
de = (struct ocfs2_dir_entry *) bh->b_data;
}
- if (!ocfs2_check_dir_entry(dir, de, bh, offset)) {
+ if (!ocfs2_check_dir_entry(dir, de, bh, bh->b_data, blocksize,
+ offset)) {
status = -ENOENT;
goto bail;
}
next prev parent reply other threads:[~2024-07-25 14:44 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:37 [PATCH 6.1 00/13] 6.1.102-rc1 review Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 01/13] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 02/13] f2fs: avoid dead loop in f2fs_issue_checkpoint() Greg Kroah-Hartman
2024-07-25 14:37 ` Greg Kroah-Hartman [this message]
2024-07-25 14:37 ` [PATCH 6.1 04/13] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 05/13] fs/ntfs3: Validate ff offset Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 06/13] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 07/13] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 08/13] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 09/13] arm64: dts: qcom: ipq6018: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 10/13] arm64: dts: qcom: sdm630: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 11/13] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 12/13] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 6.1 13/13] btrfs: do not BUG_ON on failure to get dir index for new snapshot Greg Kroah-Hartman
2024-07-25 19:34 ` [PATCH 6.1 00/13] 6.1.102-rc1 review Peter Schneider
2024-07-25 23:20 ` SeongJae Park
2024-07-26 8:11 ` Pavel Machek
2024-07-26 9:32 ` Ron Economos
2024-07-26 11:36 ` Mark Brown
2024-07-26 16:35 ` Shuah Khan
2024-07-26 17:14 ` Jon Hunter
2024-07-26 17:35 ` Naresh Kamboju
2024-07-26 17:37 ` ChromeOS Kernel Stable Merge
2024-07-26 18:22 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142728.162283912@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=gechangwei@live.cn \
--cc=ghe@suse.com \
--cc=heming.zhao@suse.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=junxiao.bi@oracle.com \
--cc=llfamsec@gmail.com \
--cc=mark@fasheh.com \
--cc=patches@lists.linux.dev \
--cc=piaojun@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.