Commit 46c116b9 authored by Jan Kara's avatar Jan Kara Committed by Theodore Ts'o

ext4: verify dir block before splitting it

Before splitting a directory block verify its directory entries are sane
so that the splitting code does not access memory it should not.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarJan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.czSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
parent c878bea3
...@@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname, ...@@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname,
struct dx_hash_info *hinfo, struct dx_hash_info *hinfo,
struct dx_frame *frame); struct dx_frame *frame);
static void dx_release(struct dx_frame *frames); static void dx_release(struct dx_frame *frames);
static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, static int dx_make_map(struct inode *dir, struct buffer_head *bh,
unsigned blocksize, struct dx_hash_info *hinfo, struct dx_hash_info *hinfo,
struct dx_map_entry map[]); struct dx_map_entry *map_tail);
static void dx_sort_map(struct dx_map_entry *map, unsigned count); static void dx_sort_map(struct dx_map_entry *map, unsigned count);
static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from, static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from,
char *to, struct dx_map_entry *offsets, char *to, struct dx_map_entry *offsets,
...@@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh, ...@@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh,
* Create map of hash values, offsets, and sizes, stored at end of block. * Create map of hash values, offsets, and sizes, stored at end of block.
* Returns number of entries mapped. * Returns number of entries mapped.
*/ */
static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, static int dx_make_map(struct inode *dir, struct buffer_head *bh,
unsigned blocksize, struct dx_hash_info *hinfo, struct dx_hash_info *hinfo,
struct dx_map_entry *map_tail) struct dx_map_entry *map_tail)
{ {
int count = 0; int count = 0;
char *base = (char *) de; struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data;
unsigned int buflen = bh->b_size;
char *base = bh->b_data;
struct dx_hash_info h = *hinfo; struct dx_hash_info h = *hinfo;
while ((char *) de < base + blocksize) { if (ext4_has_metadata_csum(dir->i_sb))
buflen -= sizeof(struct ext4_dir_entry_tail);
while ((char *) de < base + buflen) {
if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen,
((char *)de) - base))
return -EFSCORRUPTED;
if (de->name_len && de->inode) { if (de->name_len && de->inode) {
if (ext4_hash_in_dirent(dir)) if (ext4_hash_in_dirent(dir))
h.hash = EXT4_DIRENT_HASH(de); h.hash = EXT4_DIRENT_HASH(de);
...@@ -1270,8 +1278,7 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, ...@@ -1270,8 +1278,7 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
count++; count++;
cond_resched(); cond_resched();
} }
/* XXX: do we need to check rec_len == 0 case? -Chris */ de = ext4_next_entry(de, dir->i_sb->s_blocksize);
de = ext4_next_entry(de, blocksize);
} }
return count; return count;
} }
...@@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, ...@@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
/* create map in the end of data2 block */ /* create map in the end of data2 block */
map = (struct dx_map_entry *) (data2 + blocksize); map = (struct dx_map_entry *) (data2 + blocksize);
count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1, count = dx_make_map(dir, *bh, hinfo, map);
blocksize, hinfo, map); if (count < 0) {
err = count;
goto journal_error;
}
map -= count; map -= count;
dx_sort_map(map, count); dx_sort_map(map, count);
/* Ensure that neither split block is over half full */ /* Ensure that neither split block is over half full */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment