[PATCH 24/23] xfs_io: don't walk off the end of argv in fzero_f

public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed

From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: linux-xfs@vger.kernel.org
Subject: [PATCH 24/23] xfs_io: don't walk off the end of argv in fzero_f
Date: Mon, 4 Mar 2019 12:58:54 -0800	[thread overview]
Message-ID: <20190304205854.GA6520@magnolia> (raw)
In-Reply-To: <155148280859.16677.6057998944865066232.stgit@magnolia>

From: Darrick J. Wong <darrick.wong@oracle.com>

The fzero_f function doesn't check that there are enough non-switch
parameters to supply offset and length arguments to fallocate.  As a
result, we can walk off the end of the argv array and crash.  A
secondary problem is that we don't use getopt to detect the -k, which is
not how most xfs_io commands work.

Therefore, use getopt to detect the -k argument and rewire the offset
and length interpretation code to check optind and use argv correctly.
This bug is trivially reproduced by "xfs_io -c 'fzero -k 0' /some/file".

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 io/prealloc.c |   20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/io/prealloc.c b/io/prealloc.c
index 9a372bae..6d452354 100644
--- a/io/prealloc.c
+++ b/io/prealloc.c
@@ -285,18 +285,24 @@ fzero_f(
 {
 	xfs_flock64_t	segment;
 	int		mode = FALLOC_FL_ZERO_RANGE;
-	int		index = 1;
+	int		c;

-	if (strncmp(argv[index], "-k", 3) == 0) {
-		mode |= FALLOC_FL_KEEP_SIZE;
-		index++;
+	while ((c = getopt(argc, argv, "k")) != EOF) {
+		switch (c) {
+		case 'k':
+			mode |= FALLOC_FL_KEEP_SIZE;
+			break;
+		default:
+			command_usage(&fzero_cmd);
+		}
 	}
+        if (optind != argc - 2)
+                return command_usage(&fzero_cmd);

-	if (!offset_length(argv[index], argv[index + 1], &segment))
+	if (!offset_length(argv[optind], argv[optind + 1], &segment))
 		return 0;

-	if (fallocate(file->fd, mode,
-			segment.l_start, segment.l_len)) {
+	if (fallocate(file->fd, mode, segment.l_start, segment.l_len)) {
 		perror("fallocate");
 		return 0;
 	}

     prev parent reply	other threads:[~2019-03-04 20:59 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-01 23:26 [PATCH 00/23] xfsprogs-5.0: fix various problems Darrick J. Wong
2019-03-01 23:26 ` [PATCH 01/23] configure: use sys/xattr.h for fsetxattr detection Darrick J. Wong
2019-03-08  8:08   ` Christoph Hellwig
2019-03-01 23:27 ` [PATCH 02/23] xfs_io: actually check copy file range helper return values Darrick J. Wong
2019-03-08  8:09   ` Christoph Hellwig
2019-03-01 23:27 ` [PATCH 03/23] xfs_io: statx -r should print attributes_mask Darrick J. Wong
2019-03-08  8:09   ` Christoph Hellwig
2019-03-01 23:27 ` [PATCH 04/23] xfs_scrub_all: walk the lsblk device/fs hierarchy correctly Darrick J. Wong
2019-03-01 23:27 ` [PATCH 05/23] xfs_scrub_all.timer: activate after most of the system is up Darrick J. Wong
2019-03-01 23:27 ` [PATCH 06/23] xfs_scrub: rename the global nr_threads Darrick J. Wong
2019-03-01 23:27 ` [PATCH 07/23] xfs_scrub: use datadev parallelization estimates for thread count Darrick J. Wong
2019-03-01 23:27 ` [PATCH 08/23] xfs_scrub: don't expose internal pool state Darrick J. Wong
2019-03-01 23:27 ` [PATCH 09/23] xfs_scrub: one read/verify pool per disk Darrick J. Wong
2019-03-01 23:27 ` [PATCH 10/23] xfs_scrub: don't close mnt_fd when mnt_fd open fails Darrick J. Wong
2019-03-01 23:28 ` [PATCH 11/23] xfs_scrub: check label for misleading characters Darrick J. Wong
2019-03-01 23:28 ` [PATCH 12/23] mkfs: validate extent size hint parameters Darrick J. Wong
2019-03-01 23:28 ` [PATCH 13/23] xfs_repair: reinitialize the root directory nlink correctly Darrick J. Wong
2019-04-09 20:43   ` Eric Sandeen
2019-03-01 23:28 ` [PATCH 14/23] xfs_repair: bump the irec on-disk nlink when adding lost+found Darrick J. Wong
2019-03-01 23:28 ` [PATCH 15/23] xfs_repair: fix uninitialized variable warnings Darrick J. Wong
2019-03-01 23:28 ` [PATCH 16/23] xfs_db: fix finobt record decoding when sparse inodes enabled Darrick J. Wong
2019-03-01 23:28 ` [PATCH 17/23] xfs_db: use TYP_FINOBT for finobt metadump Darrick J. Wong
2019-03-01 23:28 ` [PATCH 18/23] xfs_info: use findmnt to handle mounted block devices Darrick J. Wong
2019-03-01 23:28 ` [PATCH 19/23] libfrog: hoist bitmap out of scrub Darrick J. Wong
2019-03-01 23:28 ` [PATCH 20/23] xfs_repair: correctly account for free space btree shrinks when fixing freelist Darrick J. Wong
2019-03-01 23:29 ` [PATCH 21/23] libxfs: free buffer log item in libxfs_trans_brelse Darrick J. Wong
2019-03-01 23:29 ` [PATCH 22/23] libxfs: free inode item when committing transaction Darrick J. Wong
2019-03-01 23:29 ` [PATCH 23/23] libxfs: free buffer and inode log items when cancelling a transaction Darrick J. Wong
2019-03-04 20:58 ` Darrick J. Wong [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9a372ba dfblob:6d45235 )
 OR (
bs:"[PATCH 24/23] xfs_io: don't walk off the end of argv in fzero_f" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190304205854.GA6520@magnolia \
    --to=darrick.wong@oracle.com \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox