tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

xfs: check log iovec size to make sure it's plausibly a buffer log format

When log recovery is processing buffer log items, we should check that
the incoming iovec actually describes a region of memory large enough to
contain the log format and the dirty map.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>

Darrick J. Wong 8a6453a8 b7df5e92

+24
+17
fs/xfs/xfs_buf_item.c
··· 27 27 28 28 STATIC void xfs_buf_do_callbacks(struct xfs_buf *bp); 29 29 30 + /* Is this log iovec plausibly large enough to contain the buffer log format? */ 31 + bool 32 + xfs_buf_log_check_iovec( 33 + struct xfs_log_iovec *iovec) 34 + { 35 + struct xfs_buf_log_format *blfp = iovec->i_addr; 36 + char *bmp_end; 37 + char *item_end; 38 + 39 + if (offsetof(struct xfs_buf_log_format, blf_data_map) > iovec->i_len) 40 + return false; 41 + 42 + item_end = (char *)iovec->i_addr + iovec->i_len; 43 + bmp_end = (char *)&blfp->blf_data_map[blfp->blf_map_size]; 44 + return bmp_end <= item_end; 45 + } 46 + 30 47 static inline int 31 48 xfs_buf_log_format_size( 32 49 struct xfs_buf_log_format *blfp)
+1
fs/xfs/xfs_buf_item.h
··· 61 61 void xfs_buf_iodone(struct xfs_buf *, struct xfs_log_item *); 62 62 bool xfs_buf_resubmit_failed_buffers(struct xfs_buf *, 63 63 struct list_head *); 64 + bool xfs_buf_log_check_iovec(struct xfs_log_iovec *iovec); 64 65 65 66 extern kmem_zone_t *xfs_buf_item_zone; 66 67
+6
fs/xfs/xfs_log_recover.c
··· 1934 1934 struct list_head *bucket; 1935 1935 struct xfs_buf_cancel *bcp; 1936 1936 1937 + if (!xfs_buf_log_check_iovec(&item->ri_buf[0])) { 1938 + xfs_err(log->l_mp, "bad buffer log item size (%d)", 1939 + item->ri_buf[0].i_len); 1940 + return -EFSCORRUPTED; 1941 + } 1942 + 1937 1943 /* 1938 1944 * If this isn't a cancel buffer item, then just return. 1939 1945 */