tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'xfs-4.20-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull xfs fixes from Darrick Wong:
- fix incorrect dropping of error code from bmap
- print buffer offsets instead of useless hashed pointers when dumping
corrupt metadata
- fix integer overflow in attribute verifier
* tag 'xfs-4.20-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
xfs: fix overflow in xfs_attr3_leaf_verify
xfs: print buffer offsets when dumping corrupt buffers
xfs: Fix error code in 'xfs_ioc_getbmap()'
+11
-4
+9
-2
fs/xfs/libxfs/xfs_attr_leaf.c
+9
-2
fs/xfs/libxfs/xfs_attr_leaf.c
···
243
243
struct xfs_mount *mp = bp->b_target->bt_mount;
244
244
struct xfs_attr_leafblock *leaf = bp->b_addr;
245
245
struct xfs_attr_leaf_entry *entries;
246
-
uint16_t end;
246
+
uint32_t end; /* must be 32bit - see below */
247
247
int i;
248
248
249
249
xfs_attr3_leaf_hdr_from_disk(mp->m_attr_geo, &ichdr, leaf);
···
293
293
/*
294
294
* Quickly check the freemap information. Attribute data has to be
295
295
* aligned to 4-byte boundaries, and likewise for the free space.
296
+
*
297
+
* Note that for 64k block size filesystems, the freemap entries cannot
298
+
* overflow as they are only be16 fields. However, when checking end
299
+
* pointer of the freemap, we have to be careful to detect overflows and
300
+
* so use uint32_t for those checks.
296
301
*/
297
302
for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
298
303
if (ichdr.freemap[i].base > mp->m_attr_geo->blksize)
···
308
303
return __this_address;
309
304
if (ichdr.freemap[i].size & 0x3)
310
305
return __this_address;
311
-
end = ichdr.freemap[i].base + ichdr.freemap[i].size;
306
+
307
+
/* be care of 16 bit overflows here */
308
+
end = (uint32_t)ichdr.freemap[i].base + ichdr.freemap[i].size;
312
309
if (end < ichdr.freemap[i].base)
313
310
return __this_address;
314
311
if (end > mp->m_attr_geo->blksize)
+1
-1
fs/xfs/xfs_ioctl.c
+1
-1
fs/xfs/xfs_ioctl.c