commit cf0594625083111ae522496dc1c256f7476939c2 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

hfs: handle more on-disk corruptions without oopsing

hfs seems prone to bad things when it encounters on disk corruption. Many
values are read from disk, and used as lengths to memcpy, as an example.
This patch fixes up several of these problematic cases.

o sanity check the on-disk maximum key lengths on mount
(these are set to a defined value at mkfs time and shouldn't differ)
o check on-disk node keylens against the maximum key length for each tree
o fix hfs_btree_open so that going out via free_tree: doesn't wind
up in hfs_releasepage, which wants to follow the very pointer
we were trying to set up:
HFS_SB(sb)->cat_tree = hfs_btree_open()
...
failure gets to hfs_releasepage and tries
to follow HFS_SB(sb)->cat_tree

Tested with the fsfuzzer; it survives more than it used to.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Eric Sandeen and committed by Linus Torvalds 18 years ago cf059462 467bc461

+42 -3

4 changed files

expand all

unified split

hfs

bfind.c

brec.c

btree.c

hfs.h

+12

fs/hfs/bfind.c

··· 52 52 rec = (e + b) / 2; 53 53 len = hfs_brec_lenoff(bnode, rec, &off); 54 54 keylen = hfs_brec_keylen(bnode, rec); 55 + if (keylen == HFS_BAD_KEYLEN) { 56 + res = -EINVAL; 57 + goto done; 58 + } 55 59 hfs_bnode_read(bnode, fd->key, off, keylen); 56 60 cmpval = bnode->tree->keycmp(fd->key, fd->search_key); 57 61 if (!cmpval) { ··· 71 67 if (rec != e && e >= 0) { 72 68 len = hfs_brec_lenoff(bnode, e, &off); 73 69 keylen = hfs_brec_keylen(bnode, e); 70 + if (keylen == HFS_BAD_KEYLEN) { 71 + res = -EINVAL; 72 + goto done; 73 + } 74 74 hfs_bnode_read(bnode, fd->key, off, keylen); 75 75 } 76 76 done: ··· 206 198 207 199 len = hfs_brec_lenoff(bnode, fd->record, &off); 208 200 keylen = hfs_brec_keylen(bnode, fd->record); 201 + if (keylen == HFS_BAD_KEYLEN) { 202 + res = -EINVAL; 203 + goto out; 204 + } 209 205 fd->keyoffset = off; 210 206 fd->keylength = keylen; 211 207 fd->entryoffset = off + keylen;

+13 -2

fs/hfs/brec.c

··· 44 44 recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2); 45 45 if (!recoff) 46 46 return 0; 47 - if (node->tree->attributes & HFS_TREE_BIGKEYS) 47 + if (node->tree->attributes & HFS_TREE_BIGKEYS) { 48 48 retval = hfs_bnode_read_u16(node, recoff) + 2; 49 - else 49 + if (retval > node->tree->max_key_len + 2) { 50 + printk(KERN_ERR "hfs: keylen %d too large\n", 51 + retval); 52 + retval = HFS_BAD_KEYLEN; 53 + } 54 + } else { 50 55 retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1; 56 + if (retval > node->tree->max_key_len + 1) { 57 + printk(KERN_ERR "hfs: keylen %d too large\n", 58 + retval); 59 + retval = HFS_BAD_KEYLEN; 60 + } 61 + } 51 62 } 52 63 return retval; 53 64 }

+12 -1

fs/hfs/btree.c

··· 81 81 goto fail_page; 82 82 if (!tree->node_count) 83 83 goto fail_page; 84 + if ((id == HFS_EXT_CNID) && (tree->max_key_len != HFS_MAX_EXT_KEYLEN)) { 85 + printk(KERN_ERR "hfs: invalid extent max_key_len %d\n", 86 + tree->max_key_len); 87 + goto fail_page; 88 + } 89 + if ((id == HFS_CAT_CNID) && (tree->max_key_len != HFS_MAX_CAT_KEYLEN)) { 90 + printk(KERN_ERR "hfs: invalid catalog max_key_len %d\n", 91 + tree->max_key_len); 92 + goto fail_page; 93 + } 94 + 84 95 tree->node_size_shift = ffs(size) - 1; 85 96 tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 86 97 ··· 100 89 return tree; 101 90 102 91 fail_page: 103 - tree->inode->i_mapping->a_ops = &hfs_aops; 104 92 page_cache_release(page); 105 93 free_tree: 94 + tree->inode->i_mapping->a_ops = &hfs_aops; 106 95 iput(tree->inode); 107 96 kfree(tree); 108 97 return NULL;

fs/hfs/hfs.h

··· 28 28 #define HFS_MAX_NAMELEN 128 29 29 #define HFS_MAX_VALENCE 32767U 30 30 31 + #define HFS_BAD_KEYLEN 0xFF 32 + 31 33 /* Meanings of the drAtrb field of the MDB, 32 34 * Reference: _Inside Macintosh: Files_ p. 2-61 33 35 */ ··· 168 166 struct hfs_cat_key cat; 169 167 struct hfs_ext_key ext; 170 168 } hfs_btree_key; 169 + 170 + #define HFS_MAX_CAT_KEYLEN (sizeof(struct hfs_cat_key) - sizeof(u8)) 171 + #define HFS_MAX_EXT_KEYLEN (sizeof(struct hfs_ext_key) - sizeof(u8)) 171 172 172 173 typedef union hfs_btree_key btree_key; 173 174