From: Brian Foster <bfoster@redhat.com>
To: xfs@oss.sgi.com
Subject: [PATCH 2/2] xfs: validate transaction header length on log recovery
Date: Thu, 18 Jun 2015 08:49:01 -0400 [thread overview]
Message-ID: <1434631741-50856-3-git-send-email-bfoster@redhat.com> (raw)
In-Reply-To: <1434631741-50856-1-git-send-email-bfoster@redhat.com>
When log recovery hits a new transaction, it copies the transaction
header from the expected location in the log to the in-core structure
using the length from the op record header. This length is validated to
ensure it doesn't exceed the length of the record, but not against the
expected size of a transaction header (and thus the size of the in-core
structure). If the on-disk length is corrupted, the associated memcpy()
can overflow, write to unrelated memory and lead to crashes. This has
been reproduced via filesystem fuzzing.
The code already checks that the length matches the transaction header
in order to add a recovery item to the transaction. Convert this check
to an explicit validation of the length to prevent memcpy() overflow. In
the event of the latter, warn the user and fail the log recovery.
Signed-off-by: Brian Foster <bfoster@redhat.com>
---
fs/xfs/xfs_log_recover.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 299fbaf..3c6ad4c 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3437,8 +3437,14 @@ xlog_recover_add_to_trans(
ASSERT(0);
return -EIO;
}
- if (len == sizeof(xfs_trans_header_t))
- xlog_recover_add_item(&trans->r_itemq);
+ if (len != sizeof(struct xfs_trans_header)) {
+ xfs_warn(log->l_mp, "%s: bad header size (%d)",
+ __func__, len);
+ ASSERT(0);
+ return -EIO;
+ }
+
+ xlog_recover_add_item(&trans->r_itemq);
memcpy(&trans->r_theader, dp, len);
return 0;
}
--
1.9.3
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2015-06-18 12:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-18 12:48 [PATCH 0/2] xfs: misc. attribute and log recovery fixes Brian Foster
2015-06-18 12:49 ` [PATCH 1/2] xfs: don't truncate attribute extents if no extents exist Brian Foster
2015-06-19 15:14 ` Christoph Hellwig
2015-06-19 15:45 ` Brian Foster
2015-06-21 9:22 ` Christoph Hellwig
2015-06-22 13:38 ` [PATCH v2] " Brian Foster
2015-06-18 12:49 ` Brian Foster [this message]
2015-06-21 9:27 ` [PATCH 2/2] xfs: validate transaction header length on log recovery Christoph Hellwig
2015-06-21 20:25 ` Brian Foster
2015-06-21 23:05 ` Dave Chinner
2015-06-22 13:59 ` Brian Foster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1434631741-50856-3-git-send-email-bfoster@redhat.com \
--to=bfoster@redhat.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox