From: Amir Goldstein <amir73il@gmail.com>
To: Dave Chinner <david@fromorbit.com>,
"Darrick J . Wong" <darrick.wong@oracle.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
Theodore Ts'o <tytso@mit.edu>,
Adam Manzanares <a.manzanares@samsung.com>,
Tyler Hicks <code@tyhicks.com>,
linux-xfs@vger.kernel.org, fstests@vger.kernel.org,
Christoph Hellwig <hch@lst.de>
Subject: [PATH 5.10 1/4] xfs: detect overflows in bmbt records
Date: Wed, 25 May 2022 14:17:12 +0300 [thread overview]
Message-ID: <20220525111715.2769700-2-amir73il@gmail.com> (raw)
In-Reply-To: <20220525111715.2769700-1-amir73il@gmail.com>
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit acf104c2331c1ba2a667e65dd36139d1555b1432 upstream.
Detect file block mappings with a blockcount that's either so large that
integer overflows occur or are zero, because neither are valid in the
filesystem. Worse yet, attempting directory modifications causes the
iext code to trip over the bmbt key handling and takes the filesystem
down. We can fix most of this by preventing the bad metadata from
entering the incore structures in the first place.
Found by setting blockcount=0 in a directory data fork mapping and
watching the fireworks.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
---
fs/xfs/libxfs/xfs_bmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
index d9a692484eae..de9c27ef68d8 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -6229,6 +6229,11 @@ xfs_bmap_validate_extent(
xfs_fsblock_t endfsb;
bool isrt;
+ if (irec->br_startblock + irec->br_blockcount <= irec->br_startblock)
+ return __this_address;
+ if (irec->br_startoff + irec->br_blockcount <= irec->br_startoff)
+ return __this_address;
+
isrt = XFS_IS_REALTIME_INODE(ip);
endfsb = irec->br_startblock + irec->br_blockcount - 1;
if (isrt && whichfork == XFS_DATA_FORK) {
--
2.25.1
next prev parent reply other threads:[~2022-05-25 11:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-25 11:17 [PATH 5.10 0/4] xfs stable candidate patches for 5.10.y (part 1) Amir Goldstein
2022-05-25 11:17 ` Amir Goldstein [this message]
2022-05-25 11:17 ` [PATH 5.10 2/4] xfs: show the proper user quota options Amir Goldstein
2022-05-25 11:17 ` [PATH 5.10 3/4] xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks Amir Goldstein
2022-05-25 11:17 ` [PATH 5.10 4/4] xfs: fix an ABBA deadlock in xfs_rename Amir Goldstein
2022-05-26 17:27 ` [PATH 5.10 0/4] xfs stable candidate patches for 5.10.y (part 1) Darrick J. Wong
2022-05-26 18:44 ` Luis Chamberlain
2022-05-26 18:59 ` Amir Goldstein
2022-05-27 13:10 ` Luis Chamberlain
2022-05-26 18:47 ` Amir Goldstein
2022-05-27 6:06 ` Christoph Hellwig
2022-05-27 7:01 ` Amir Goldstein
2022-05-27 9:08 ` Dave Chinner
2022-05-27 12:24 ` Amir Goldstein
2022-05-27 15:40 ` Luis Chamberlain
2022-05-27 17:19 ` Darrick J. Wong
2022-05-27 23:42 ` Dave Chinner
2022-05-28 5:00 ` Amir Goldstein
2022-06-01 4:31 ` Dave Chinner
2022-06-01 7:10 ` Amir Goldstein
2022-06-02 4:12 ` Theodore Ts'o
2022-06-02 5:34 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220525111715.2769700-2-amir73il@gmail.com \
--to=amir73il@gmail.com \
--cc=a.manzanares@samsung.com \
--cc=code@tyhicks.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=fstests@vger.kernel.org \
--cc=hch@lst.de \
--cc=linux-xfs@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).