commit cf0594625083111ae522496dc1c256f7476939c2 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

hfs: handle more on-disk corruptions without oopsing

hfs seems prone to bad things when it encounters on disk corruption. Many
values are read from disk, and used as lengths to memcpy, as an example.
This patch fixes up several of these problematic cases.

o sanity check the on-disk maximum key lengths on mount
(these are set to a defined value at mkfs time and shouldn't differ)
o check on-disk node keylens against the maximum key length for each tree
o fix hfs_btree_open so that going out via free_tree: doesn't wind
up in hfs_releasepage, which wants to follow the very pointer
we were trying to set up:
HFS_SB(sb)->cat_tree = hfs_btree_open()
...
failure gets to hfs_releasepage and tries
to follow HFS_SB(sb)->cat_tree

Tested with the fsfuzzer; it survives more than it used to.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Eric Sandeen and committed by Linus Torvalds 18 years ago cf059462 467bc461

+42 -3

4 changed files

expand all

unified split

hfs

bfind.c

brec.c

btree.c

hfs.h

+12

fs/hfs/bfind.c

··· 52 rec = (e + b) / 2; 53 len = hfs_brec_lenoff(bnode, rec, &off); 54 keylen = hfs_brec_keylen(bnode, rec); 55 hfs_bnode_read(bnode, fd->key, off, keylen); 56 cmpval = bnode->tree->keycmp(fd->key, fd->search_key); 57 if (!cmpval) { ··· 71 if (rec != e && e >= 0) { 72 len = hfs_brec_lenoff(bnode, e, &off); 73 keylen = hfs_brec_keylen(bnode, e); 74 hfs_bnode_read(bnode, fd->key, off, keylen); 75 } 76 done: ··· 206 207 len = hfs_brec_lenoff(bnode, fd->record, &off); 208 keylen = hfs_brec_keylen(bnode, fd->record); 209 fd->keyoffset = off; 210 fd->keylength = keylen; 211 fd->entryoffset = off + keylen;

··· 52 rec = (e + b) / 2; 53 len = hfs_brec_lenoff(bnode, rec, &off); 54 keylen = hfs_brec_keylen(bnode, rec); 55 + if (keylen == HFS_BAD_KEYLEN) { 56 + res = -EINVAL; 57 + goto done; 58 + } 59 hfs_bnode_read(bnode, fd->key, off, keylen); 60 cmpval = bnode->tree->keycmp(fd->key, fd->search_key); 61 if (!cmpval) { ··· 67 if (rec != e && e >= 0) { 68 len = hfs_brec_lenoff(bnode, e, &off); 69 keylen = hfs_brec_keylen(bnode, e); 70 + if (keylen == HFS_BAD_KEYLEN) { 71 + res = -EINVAL; 72 + goto done; 73 + } 74 hfs_bnode_read(bnode, fd->key, off, keylen); 75 } 76 done: ··· 198 199 len = hfs_brec_lenoff(bnode, fd->record, &off); 200 keylen = hfs_brec_keylen(bnode, fd->record); 201 + if (keylen == HFS_BAD_KEYLEN) { 202 + res = -EINVAL; 203 + goto out; 204 + } 205 fd->keyoffset = off; 206 fd->keylength = keylen; 207 fd->entryoffset = off + keylen;

+13 -2

fs/hfs/brec.c

··· 44 recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2); 45 if (!recoff) 46 return 0; 47 - if (node->tree->attributes & HFS_TREE_BIGKEYS) 48 retval = hfs_bnode_read_u16(node, recoff) + 2; 49 - else 50 retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1; 51 } 52 return retval; 53 }

··· 44 recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2); 45 if (!recoff) 46 return 0; 47 + if (node->tree->attributes & HFS_TREE_BIGKEYS) { 48 retval = hfs_bnode_read_u16(node, recoff) + 2; 49 + if (retval > node->tree->max_key_len + 2) { 50 + printk(KERN_ERR "hfs: keylen %d too large\n", 51 + retval); 52 + retval = HFS_BAD_KEYLEN; 53 + } 54 + } else { 55 retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1; 56 + if (retval > node->tree->max_key_len + 1) { 57 + printk(KERN_ERR "hfs: keylen %d too large\n", 58 + retval); 59 + retval = HFS_BAD_KEYLEN; 60 + } 61 + } 62 } 63 return retval; 64 }

+12 -1

fs/hfs/btree.c

··· 81 goto fail_page; 82 if (!tree->node_count) 83 goto fail_page; 84 tree->node_size_shift = ffs(size) - 1; 85 tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 86 ··· 100 return tree; 101 102 fail_page: 103 - tree->inode->i_mapping->a_ops = &hfs_aops; 104 page_cache_release(page); 105 free_tree: 106 iput(tree->inode); 107 kfree(tree); 108 return NULL;

··· 81 goto fail_page; 82 if (!tree->node_count) 83 goto fail_page; 84 + if ((id == HFS_EXT_CNID) && (tree->max_key_len != HFS_MAX_EXT_KEYLEN)) { 85 + printk(KERN_ERR "hfs: invalid extent max_key_len %d\n", 86 + tree->max_key_len); 87 + goto fail_page; 88 + } 89 + if ((id == HFS_CAT_CNID) && (tree->max_key_len != HFS_MAX_CAT_KEYLEN)) { 90 + printk(KERN_ERR "hfs: invalid catalog max_key_len %d\n", 91 + tree->max_key_len); 92 + goto fail_page; 93 + } 94 + 95 tree->node_size_shift = ffs(size) - 1; 96 tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 97 ··· 89 return tree; 90 91 fail_page: 92 page_cache_release(page); 93 free_tree: 94 + tree->inode->i_mapping->a_ops = &hfs_aops; 95 iput(tree->inode); 96 kfree(tree); 97 return NULL;

fs/hfs/hfs.h

··· 28 #define HFS_MAX_NAMELEN 128 29 #define HFS_MAX_VALENCE 32767U 30 31 /* Meanings of the drAtrb field of the MDB, 32 * Reference: _Inside Macintosh: Files_ p. 2-61 33 */ ··· 168 struct hfs_cat_key cat; 169 struct hfs_ext_key ext; 170 } hfs_btree_key; 171 172 typedef union hfs_btree_key btree_key; 173

··· 28 #define HFS_MAX_NAMELEN 128 29 #define HFS_MAX_VALENCE 32767U 30 31 + #define HFS_BAD_KEYLEN 0xFF 32 + 33 /* Meanings of the drAtrb field of the MDB, 34 * Reference: _Inside Macintosh: Files_ p. 2-61 35 */ ··· 166 struct hfs_cat_key cat; 167 struct hfs_ext_key ext; 168 } hfs_btree_key; 169 + 170 + #define HFS_MAX_CAT_KEYLEN (sizeof(struct hfs_cat_key) - sizeof(u8)) 171 + #define HFS_MAX_EXT_KEYLEN (sizeof(struct hfs_ext_key) - sizeof(u8)) 172 173 typedef union hfs_btree_key btree_key; 174