git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
| inline |
side by side
jbd2: fix r_count overflows leading to buffer overflow in journal recovery
[pandora-kernel.git]
/
fs
/
jbd2
/
recovery.c
diff --git
a/fs/jbd2/recovery.c
b/fs/jbd2/recovery.c
index
da6d7ba
..
421834b
100644
(file)
--- a/
fs/jbd2/recovery.c
+++ b/
fs/jbd2/recovery.c
@@
-711,11
+711,16
@@
static int scan_revoke_records(journal_t *journal, struct buffer_head *bh,
{
jbd2_journal_revoke_header_t *header;
int offset, max;
+ __u32 rcount;
int record_len = 4;
header = (jbd2_journal_revoke_header_t *) bh->b_data;
offset = sizeof(jbd2_journal_revoke_header_t);
- max = be32_to_cpu(header->r_count);
+ rcount = be32_to_cpu(header->r_count);
+
+ if (rcount > journal->j_blocksize)
+ return -EINVAL;
+ max = rcount;
if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT))
record_len = 8;
git.openpandora.org / pandora-kernel.git / blobdiff