A fuzzed fileystem image failed with OMFS when the extent count was
used in a loop without being checked against the max number of extents.
It also provoked a signed division for an array index that was checked
as if unsigned, leading to index by -1.
omfsck will be updated to fix these cases, in the meantime bail out
gracefully.
Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
struct buffer_head *bh;
struct omfs_sb_info *sbi = OMFS_SB(sb);
int bits_per_entry = 8 * sb->s_blocksize;
struct buffer_head *bh;
struct omfs_sb_info *sbi = OMFS_SB(sb);
int bits_per_entry = 8 * sb->s_blocksize;
struct omfs_sb_info *sbi = OMFS_SB(sb);
int bits_per_entry = 8 * sb->s_blocksize;
u64 tmp;
struct omfs_sb_info *sbi = OMFS_SB(sb);
int bits_per_entry = 8 * sb->s_blocksize;
u64 tmp;
+ unsigned int map, bit;
+ int ret;
tmp = block;
bit = do_div(tmp, bits_per_entry);
tmp = block;
bit = do_div(tmp, bits_per_entry);
+static u32 omfs_max_extents(struct omfs_sb_info *sbi, int offset)
+{
+ return (sbi->s_sys_blocksize - offset -
+ sizeof(struct omfs_extent)) /
+ sizeof(struct omfs_extent_entry) + 1;
+}
+
void omfs_make_empty_table(struct buffer_head *bh, int offset)
{
struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
void omfs_make_empty_table(struct buffer_head *bh, int offset)
{
struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
struct buffer_head *bh;
u64 next, last;
u32 extent_count;
struct buffer_head *bh;
u64 next, last;
u32 extent_count;
int ret;
/* traverse extent table, freeing each entry that is greater
int ret;
/* traverse extent table, freeing each entry that is greater
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
+ max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
- if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next)) {
- brelse(bh);
- goto out;
- }
+ if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next))
+ goto out_brelse;
extent_count = be32_to_cpu(oe->e_extent_count);
extent_count = be32_to_cpu(oe->e_extent_count);
+
+ if (extent_count > max_extents)
+ goto out_brelse;
+
last = next;
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
last = next;
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
+ max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
}
ret = 0;
out:
return ret;
}
ret = 0;
out:
return ret;
+out_brelse:
+ brelse(bh);
+ return ret;
}
static void omfs_truncate(struct inode *inode)
}
static void omfs_truncate(struct inode *inode)
- max_count = (sbi->s_sys_blocksize - OMFS_EXTENT_START -
- sizeof(struct omfs_extent)) /
- sizeof(struct omfs_extent_entry) + 1;
+ max_count = omfs_max_extents(sbi, OMFS_EXTENT_START);
/* TODO: add a continuation block here */
if (be32_to_cpu(oe->e_extent_count) > max_count-1)
/* TODO: add a continuation block here */
if (be32_to_cpu(oe->e_extent_count) > max_count-1)
sector_t next, offset;
int ret;
u64 new_block;
sector_t next, offset;
int ret;
u64 new_block;
int extent_count;
struct omfs_extent *oe;
struct omfs_extent_entry *entry;
int extent_count;
struct omfs_extent *oe;
struct omfs_extent_entry *entry;
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
+ max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
next = inode->i_ino;
for (;;) {
next = inode->i_ino;
for (;;) {
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
+ if (extent_count > max_extents)
+ goto out_brelse;
+
offset = find_block(inode, entry, block, extent_count, &remain);
if (offset > 0) {
ret = 0;
offset = find_block(inode, entry, block, extent_count, &remain);
if (offset > 0) {
ret = 0;
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
+ max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
}
if (create) {
ret = omfs_grow_extent(inode, oe, &new_block);
}
if (create) {
ret = omfs_grow_extent(inode, oe, &new_block);