xfs: directory scrubber must walk through data block to offset
In xfs_scrub_dir_rec, we must walk through the directory block entries to arrive at the offset given by the hash structure. If we blindly trust the hash address, we can end up midway into a directory entry and stray outside the block. Found by lastbit fuzzing lents[3].address in xfs/390 with KASAN enabled. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Dave Chinner <dchinner@redhat.com>
This commit is contained in:
Darrick J. Wong
@@ -89,7 +89,6 @@ __xfs_dir3_data_check(
|
||||
case cpu_to_be32(XFS_DIR2_BLOCK_MAGIC):
|
||||
btp = xfs_dir2_block_tail_p(geo, hdr);
|
||||
lep = xfs_dir2_block_leaf_p(btp);
|
||||
endp = (char *)lep;
|
||||
|
||||
/*
|
||||
* The number of leaf entries is limited by the size of the
|
||||
@@ -104,11 +103,13 @@ __xfs_dir3_data_check(
|
||||
break;
|
||||
case cpu_to_be32(XFS_DIR3_DATA_MAGIC):
|
||||
case cpu_to_be32(XFS_DIR2_DATA_MAGIC):
|
||||
endp = (char *)hdr + geo->blksize;
|
||||
break;
|
||||
default:
|
||||
return __this_address;
|
||||
}
|
||||
endp = xfs_dir3_data_endp(geo, hdr);
|
||||
if (!endp)
|
||||
return __this_address;
|
||||
|
||||
/*
|
||||
* Account for zero bestfree entries.
|
||||
@@ -546,7 +547,6 @@ xfs_dir2_data_freescan_int(
|
||||
struct xfs_dir2_data_hdr *hdr,
|
||||
int *loghead)
|
||||
{
|
||||
xfs_dir2_block_tail_t *btp; /* block tail */
|
||||
xfs_dir2_data_entry_t *dep; /* active data entry */
|
||||
xfs_dir2_data_unused_t *dup; /* unused data entry */
|
||||
struct xfs_dir2_data_free *bf;
|
||||
@@ -568,12 +568,7 @@ xfs_dir2_data_freescan_int(
|
||||
* Set up pointers.
|
||||
*/
|
||||
p = (char *)ops->data_entry_p(hdr);
|
||||
if (hdr->magic == cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) ||
|
||||
hdr->magic == cpu_to_be32(XFS_DIR3_BLOCK_MAGIC)) {
|
||||
btp = xfs_dir2_block_tail_p(geo, hdr);
|
||||
endp = (char *)xfs_dir2_block_leaf_p(btp);
|
||||
} else
|
||||
endp = (char *)hdr + geo->blksize;
|
||||
endp = xfs_dir3_data_endp(geo, hdr);
|
||||
/*
|
||||
* Loop over the block's entries.
|
||||
*/
|
||||
@@ -786,17 +781,9 @@ xfs_dir2_data_make_free(
|
||||
/*
|
||||
* Figure out where the end of the data area is.
|
||||
*/
|
||||
if (hdr->magic == cpu_to_be32(XFS_DIR2_DATA_MAGIC) ||
|
||||
hdr->magic == cpu_to_be32(XFS_DIR3_DATA_MAGIC))
|
||||
endptr = (char *)hdr + args->geo->blksize;
|
||||
else {
|
||||
xfs_dir2_block_tail_t *btp; /* block tail */
|
||||
endptr = xfs_dir3_data_endp(args->geo, hdr);
|
||||
ASSERT(endptr != NULL);
|
||||
|
||||
ASSERT(hdr->magic == cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) ||
|
||||
hdr->magic == cpu_to_be32(XFS_DIR3_BLOCK_MAGIC));
|
||||
btp = xfs_dir2_block_tail_p(args->geo, hdr);
|
||||
endptr = (char *)xfs_dir2_block_leaf_p(btp);
|
||||
}
|
||||
/*
|
||||
* If this isn't the start of the block, then back up to
|
||||
* the previous entry and see if it's free.
|
||||
@@ -1098,3 +1085,21 @@ xfs_dir2_data_use_free(
|
||||
}
|
||||
*needscanp = needscan;
|
||||
}
|
||||
|
||||
/* Find the end of the entry data in a data/block format dir block. */
|
||||
void *
|
||||
xfs_dir3_data_endp(
|
||||
struct xfs_da_geometry *geo,
|
||||
struct xfs_dir2_data_hdr *hdr)
|
||||
{
|
||||
switch (hdr->magic) {
|
||||
case cpu_to_be32(XFS_DIR3_BLOCK_MAGIC):
|
||||
case cpu_to_be32(XFS_DIR2_BLOCK_MAGIC):
|
||||
return xfs_dir2_block_leaf_p(xfs_dir2_block_tail_p(geo, hdr));
|
||||
case cpu_to_be32(XFS_DIR3_DATA_MAGIC):
|
||||
case cpu_to_be32(XFS_DIR2_DATA_MAGIC):
|
||||
return (char *)hdr + geo->blksize;
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user