From: Jan Kara <jack@suse.cz>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [PATCH] udf: Avoid infinite loop when processing indirect ICBs
Date: Fri, 10 Oct 2014 16:23:36 +0200 [thread overview]
Message-ID: <1412951028-4085-32-git-send-email-jack@suse.cz> (raw)
In-Reply-To: <1412951028-4085-1-git-send-email-jack@suse.cz>
We did not implement any bound on number of indirect ICBs we follow when
loading inode. Thus corrupted medium could cause kernel to go into an
infinite loop, possibly causing a stack overflow.
Fix the possible stack overflow by removing recursion from
__udf_read_inode() and limit number of indirect ICBs we follow to avoid
infinite loops.
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/udf/inode.c | 35 +++++++++++++++++++++--------------
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 68cc7b144c26..a6a40536ebf1 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1270,6 +1270,13 @@ update_time:
return 0;
}
+/*
+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
+ * arbitrary - just that we hopefully don't limit any real use of rewritten
+ * inode on write-once media but avoid looping for too long on corrupted media.
+ */
+#define UDF_MAX_ICB_NESTING 1024
+
static void __udf_read_inode(struct inode *inode)
{
struct buffer_head *bh = NULL;
@@ -1279,7 +1286,9 @@ static void __udf_read_inode(struct inode *inode)
struct udf_inode_info *iinfo = UDF_I(inode);
struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
unsigned int link_count;
+ unsigned int indirections = 0;
+reread:
/*
* Set defaults, but the inode is still incomplete!
* Note: get_new_inode() sets the following on a new inode:
@@ -1317,28 +1326,26 @@ static void __udf_read_inode(struct inode *inode)
ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
&ident);
if (ident == TAG_IDENT_IE && ibh) {
- struct buffer_head *nbh = NULL;
struct kernel_lb_addr loc;
struct indirectEntry *ie;
ie = (struct indirectEntry *)ibh->b_data;
loc = lelb_to_cpu(ie->indirectICB.extLocation);
- if (ie->indirectICB.extLength &&
- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
- &ident))) {
- if (ident == TAG_IDENT_FE ||
- ident == TAG_IDENT_EFE) {
- memcpy(&iinfo->i_location,
- &loc,
- sizeof(struct kernel_lb_addr));
- brelse(bh);
- brelse(ibh);
- brelse(nbh);
- __udf_read_inode(inode);
+ if (ie->indirectICB.extLength) {
+ brelse(bh);
+ brelse(ibh);
+ memcpy(&iinfo->i_location, &loc,
+ sizeof(struct kernel_lb_addr));
+ if (++indirections > UDF_MAX_ICB_NESTING) {
+ udf_err(inode->i_sb,
+ "too many ICBs in ICB hierarchy"
+ " (max %d supported)\n",
+ UDF_MAX_ICB_NESTING);
+ make_bad_inode(inode);
return;
}
- brelse(nbh);
+ goto reread;
}
}
brelse(ibh);
--
1.8.1.4
next prev parent reply other threads:[~2014-10-10 14:23 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-10 14:23 [Cluster-devel] [PATCH 0/2 v2] Fix data corruption when blocksize < pagesize for mmapped data Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2 RESEND] bdi: Fix hung task on sync Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] block: free q->flush_rq in blk_init_allocated_queue error paths Jan Kara
2014-10-10 15:19 ` Dave Jones
2014-10-10 15:32 ` Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] block: improve rq_affinity placement Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] block: Make rq_affinity = 1 work as expected Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] block: strict rq_affinity Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext3: Fix deadlock in data=journal mode when fs is frozen Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext3: Speedup WB_SYNC_ALL pass Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Avoid lock inversion between i_mmap_mutex and transaction start Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2] ext4: Don't check quota format when there are no quota files Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2] ext4: Fix block zeroing when punching holes in indirect block files Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Fix buffer double free in ext4_alloc_branch() Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Fix jbd2 warning under heavy xattr load Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Fix zeroing of page during writeback Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Remove orphan list handling Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ext4: Speedup WB_SYNC_ALL pass Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH for 3.14-stable] fanotify: fix double free of pending permission events Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] fs: Avoid userspace mounting anon_inodefs filesystem Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2] jbd2: Avoid pointless scanning of checkpoint lists Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] jbd2: Optimize jbd2_log_do_checkpoint() a bit Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] lockdep: Dump info via tracing Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] mm: Fixup pagecache_isize_extended() definitions for !CONFIG_MMU Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ncpfs: fix rmdir returns Device or resource busy Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] ocfs2: Fix quota file corruption Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2] printk: Debug patch1 Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] printk: debug: Slow down printing to 9600 bauds Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] printk: enable interrupts before calling console_trylock_for_printk() Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] quota: Fix race between dqput() and dquot_scan_active() Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] scsi: Keep interrupts disabled while submitting requests Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] sync: don't block the flusher thread waiting on IO Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks Jan Kara
2014-10-10 14:23 ` Jan Kara [this message]
2014-10-10 14:23 ` [Cluster-devel] [PATCH] udf: Print error when inode is loaded Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] vfs: Allocate anon_inode_inode in anon_inode_init() Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 1/2] vfs: Fix data corruption when blocksize < pagesize for mmaped data Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH RESEND] vfs: Return EINVAL for default SEEK_HOLE, SEEK_DATA implementation Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] writeback: plug writeback at a high level Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH] x86: Fixup lockdep complaint caused by io apic code Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2 RESEND] bdi: Avoid oops on device removal Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2] ext3: Don't check quota format when there are no quota files Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2] ext4: Fix hole punching for files with indirect blocks Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2] ext4: Fix mmap data corruption when blocksize < pagesize Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2] jbd2: Simplify calling convention around __jbd2_journal_clean_checkpoint_list Jan Kara
2014-10-10 14:23 ` [Cluster-devel] [PATCH 2/2] printk: Debug patch 2 Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1412951028-4085-32-git-send-email-jack@suse.cz \
--to=jack@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).