From: Christoph Hellwig <hch@lst.de>
To: stable@vger.kernel.org
Cc: linux-xfs@vger.kernel.org,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Dave Chinner <david@fromorbit.com>
Subject: [PATCH 25/32] xfs: don't allow di_size with high bit set
Date: Mon, 9 Jan 2017 16:38:56 +0100 [thread overview]
Message-ID: <1483976343-661-26-git-send-email-hch@lst.de> (raw)
In-Reply-To: <1483976343-661-1-git-send-email-hch@lst.de>
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream.
The on-disk field di_size is used to set i_size, which is a signed
integer of loff_t. If the high bit of di_size is set, we'll end up with
a negative i_size, which will cause all sorts of problems. Since the
VFS won't let us create a file with such length, we should catch them
here in the verifier too.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
---
fs/xfs/libxfs/xfs_inode_buf.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
index 134424f..c906e50 100644
--- a/fs/xfs/libxfs/xfs_inode_buf.c
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
@@ -392,6 +392,14 @@ xfs_dinode_verify(
if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))
return false;
+ /* don't allow invalid i_size */
+ if (be64_to_cpu(dip->di_size) & (1ULL << 63))
+ return false;
+
+ /* No zero-length symlinks. */
+ if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0)
+ return false;
+
/* only version 3 or greater inodes are extensively verified here */
if (dip->di_version < 3)
return true;
--
2.1.4
next prev parent reply other threads:[~2017-01-09 15:40 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-09 15:38 4.9-stable updates for XFS Christoph Hellwig
2017-01-09 15:38 ` [PATCH 01/32] xfs: don't call xfs_sb_quota_from_disk twice Christoph Hellwig
2017-01-09 15:38 ` [PATCH 02/32] xfs: check return value of _trans_reserve_quota_nblks Christoph Hellwig
2017-01-09 15:38 ` [PATCH 03/32] xfs: don't skip cow forks w/ delalloc blocks in cowblocks scan Christoph Hellwig
2017-01-09 15:38 ` [PATCH 04/32] xfs: don't BUG() on mixed direct and mapped I/O Christoph Hellwig
2017-01-09 15:38 ` [PATCH 05/32] xfs: provide helper for counting extents from if_bytes Christoph Hellwig
2017-01-09 15:38 ` [PATCH 06/32] xfs: check minimum block size for CRC filesystems Christoph Hellwig
2017-01-09 15:38 ` [PATCH 07/32] xfs: fix unbalanced inode reclaim flush locking Christoph Hellwig
2017-01-09 15:38 ` [PATCH 08/32] xfs: new inode extent list lookup helpers Christoph Hellwig
2017-01-09 15:38 ` [PATCH 09/32] xfs: factor rmap btree size into the indlen calculations Christoph Hellwig
2017-01-09 15:38 ` [PATCH 10/32] xfs: always succeed when deduping zero bytes Christoph Hellwig
2017-01-09 15:38 ` [PATCH 11/32] xfs: remove prev argument to xfs_bmapi_reserve_delalloc Christoph Hellwig
2017-01-09 15:38 ` [PATCH 12/32] xfs: track preallocation separately in xfs_bmapi_reserve_delalloc() Christoph Hellwig
2017-01-09 15:38 ` [PATCH 13/32] xfs: use new extent lookup helpers in __xfs_reflink_reserve_cow Christoph Hellwig
2017-01-09 15:38 ` [PATCH 14/32] xfs: clean up cow fork reservation and tag inodes correctly Christoph Hellwig
2017-01-09 15:38 ` [PATCH 15/32] xfs: use new extent lookup helpers xfs_file_iomap_begin_delay Christoph Hellwig
2017-01-09 15:38 ` [PATCH 16/32] xfs: pass post-eof speculative prealloc blocks to bmapi Christoph Hellwig
2017-01-09 15:38 ` [PATCH 17/32] xfs: Move AGI buffer type setting to xfs_read_agi Christoph Hellwig
2017-01-09 15:38 ` [PATCH 18/32] xfs: pass state not whichfork to trace_xfs_extlist Christoph Hellwig
2017-01-09 15:38 ` [PATCH 19/32] xfs: handle cow fork in xfs_bmap_trace_exlist Christoph Hellwig
2017-01-09 15:38 ` [PATCH 20/32] xfs: forbid AG btrees with level == 0 Christoph Hellwig
2017-01-09 15:38 ` [PATCH 21/32] xfs: check for bogus values in btree block headers Christoph Hellwig
2017-01-09 15:38 ` [PATCH 22/32] xfs: complain if we don't get nextents bmap records Christoph Hellwig
2017-01-09 15:38 ` [PATCH 23/32] xfs: don't crash if reading a directory results in an unexpected hole Christoph Hellwig
2017-01-09 15:38 ` [PATCH 24/32] xfs: error out if trying to add attrs and anextents > 0 Christoph Hellwig
2017-01-09 15:38 ` Christoph Hellwig [this message]
2017-01-09 15:38 ` [PATCH 26/32] xfs: don't cap maximum dedupe request length Christoph Hellwig
2017-01-09 15:38 ` [PATCH 27/32] xfs: ignore leaf attr ichdr.count in verifier during log replay Christoph Hellwig
2017-01-09 15:38 ` [PATCH 28/32] xfs: use GPF_NOFS when allocating btree cursors Christoph Hellwig
2017-01-09 15:39 ` [PATCH 29/32] xfs: fix double-cleanup when CUI recovery fails Christoph Hellwig
2017-01-09 15:39 ` [PATCH 30/32] xfs: use the actual AG length when reserving blocks Christoph Hellwig
2017-01-09 15:39 ` [PATCH 31/32] xfs: fix crash and data corruption due to removal of busy COW extents Christoph Hellwig
2017-01-09 15:39 ` [PATCH 32/32] xfs: fix max_retries _show and _store functions Christoph Hellwig
2017-01-10 0:21 ` 4.9-stable updates for XFS Darrick J. Wong
2017-01-10 10:37 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483976343-661-26-git-send-email-hch@lst.de \
--to=hch@lst.de \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).