From: Christoph Hellwig <hch@infradead.org>
To: xfs@oss.sgi.com
Subject: [PATCH] repair: validate acl count before reading it
Date: Tue, 15 Nov 2011 03:07:15 -0500 [thread overview]
Message-ID: <20111115080714.GA24931@infradead.org> (raw)
This prevents a segfault on a filesystem so badly corrupted by the RAID
controller that it could be considered fuzzed.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Index: xfsprogs-dev/repair/attr_repair.c
===================================================================
--- xfsprogs-dev.orig/repair/attr_repair.c 2011-11-14 20:03:27.000000000 +0000
+++ xfsprogs-dev/repair/attr_repair.c 2011-11-14 20:20:55.000000000 +0000
@@ -931,8 +931,8 @@ process_longform_attr(
}
-static xfs_acl_t *
-xfs_acl_from_disk(xfs_acl_disk_t *dacl)
+static int
+xfs_acl_from_disk(struct xfs_acl **aclp, struct xfs_acl_disk *dacl)
{
int count;
xfs_acl_t *acl;
@@ -940,10 +940,22 @@ xfs_acl_from_disk(xfs_acl_disk_t *dacl)
xfs_acl_entry_disk_t *dace, *end;
count = be32_to_cpu(dacl->acl_cnt);
+ if (count > XFS_ACL_MAX_ENTRIES) {
+ do_warn(_("to larget ACL, size %d"), count);
+ *aclp = NULL;
+ return EINVAL;
+ }
+
+
end = &dacl->acl_entry[0] + count;
acl = malloc((int)((char *)end - (char *)dacl));
- if (!acl)
- return NULL;
+ if (!acl) {
+ do_warn(_("cannot malloc enough for ACL attribute\n"));
+ do_warn(_("SKIPPING this ACL\n"));
+ *aclp = NULL;
+ return ENOMEM;
+ }
+
acl->acl_cnt = count;
ace = &acl->acl_entry[0];
for (dace = &dacl->acl_entry[0]; dace < end; ace++, dace++) {
@@ -951,7 +963,9 @@ xfs_acl_from_disk(xfs_acl_disk_t *dacl)
ace->ae_id = be32_to_cpu(dace->ae_id);
ace->ae_perm = be16_to_cpu(dace->ae_perm);
}
- return acl;
+
+ *aclp = acl;
+ return 0;
}
/*
@@ -1004,15 +1018,14 @@ xfs_acl_valid(xfs_acl_disk_t *daclp)
if (daclp == NULL)
goto acl_invalid;
- aclp = xfs_acl_from_disk(daclp);
- if (aclp == NULL) {
- do_warn(_("cannot malloc enough for ACL attribute\n"));
- do_warn(_("SKIPPING this ACL\n"));
+ switch (xfs_acl_from_disk(&aclp, daclp)) {
+ case ENOMEM:
return 0;
- }
-
- if (aclp->acl_cnt > XFS_ACL_MAX_ENTRIES)
+ case EINVAL:
goto acl_invalid;
+ default:
+ break;
+ }
for (i = 0; i < aclp->acl_cnt; i++) {
entry = &aclp->acl_entry[i];
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next reply other threads:[~2011-11-15 8:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-15 8:07 Christoph Hellwig [this message]
2011-11-16 0:23 ` [PATCH] repair: validate acl count before reading it Dave Chinner
2011-11-16 7:58 ` Christoph Hellwig
2012-01-27 19:54 ` Mark Tinguely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111115080714.GA24931@infradead.org \
--to=hch@infradead.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox