Commit 2f6a2bcc authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Ben Hutchings

jbd2: fix r_count overflows leading to buffer overflow in journal recovery

commit e531d0bc upstream.

The journal revoke block recovery code does not check r_count for
sanity, which means that an evil value of r_count could result in
the kernel reading off the end of the revoke table and into whatever
garbage lies beyond.  This could crash the kernel, so fix that.

However, in testing this fix, I discovered that the code to write
out the revoke tables also was not correctly checking to see if the
block was full -- the current offset check is fine so long as the
revoke table space size is a multiple of the record size, but this
is not true when either journal_csum_v[23] are set.
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
[bwh: Backported to 3.2: journal checksumming is not supported, so only
 the first fix is needed]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 93fa5e65
...@@ -711,11 +711,16 @@ static int scan_revoke_records(journal_t *journal, struct buffer_head *bh, ...@@ -711,11 +711,16 @@ static int scan_revoke_records(journal_t *journal, struct buffer_head *bh,
{ {
jbd2_journal_revoke_header_t *header; jbd2_journal_revoke_header_t *header;
int offset, max; int offset, max;
__u32 rcount;
int record_len = 4; int record_len = 4;
header = (jbd2_journal_revoke_header_t *) bh->b_data; header = (jbd2_journal_revoke_header_t *) bh->b_data;
offset = sizeof(jbd2_journal_revoke_header_t); offset = sizeof(jbd2_journal_revoke_header_t);
max = be32_to_cpu(header->r_count); rcount = be32_to_cpu(header->r_count);
if (rcount > journal->j_blocksize)
return -EINVAL;
max = rcount;
if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT)) if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
record_len = 8; record_len = 8;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment