| Message ID | 151579467015.8694.7629126647166170386.stgit@magnolia (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Jan 12, 2018 at 02:04:30PM -0800, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > A btree format inode fork with zero records makes no sense, so reject it > if we see it, or else we can miscalculate memory allocations. Found by > zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN. > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > --- Reviewed-by: Brian Foster <bfoster@redhat.com> > fs/xfs/libxfs/xfs_inode_fork.c | 1 + > 1 file changed, 1 insertion(+) > > > diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c > index 84eaf17..8c01dd5 100644 > --- a/fs/xfs/libxfs/xfs_inode_fork.c > +++ b/fs/xfs/libxfs/xfs_inode_fork.c > @@ -307,6 +307,7 @@ xfs_iformat_btree( > */ > if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <= > XFS_IFORK_MAXEXT(ip, whichfork) || > + nrecs == 0 || > XFS_BMDR_SPACE_CALC(nrecs) > > XFS_DFORK_SIZE(dip, mp, whichfork) || > XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) || > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c index 84eaf17..8c01dd5 100644 --- a/fs/xfs/libxfs/xfs_inode_fork.c +++ b/fs/xfs/libxfs/xfs_inode_fork.c @@ -307,6 +307,7 @@ xfs_iformat_btree( */ if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <= XFS_IFORK_MAXEXT(ip, whichfork) || + nrecs == 0 || XFS_BMDR_SPACE_CALC(nrecs) > XFS_DFORK_SIZE(dip, mp, whichfork) || XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) ||