diff options
| author | Darrick J. Wong <darrick.wong@oracle.com> | 2018-02-26 22:43:18 -0600 |
|---|---|---|
| committer | Eric Sandeen <sandeen@redhat.com> | 2018-02-26 22:43:18 -0600 |
| commit | e4b963e9ae98a1c7522e97eec7015d33f7eb8ab4 (patch) | |
| tree | 4043bf35bed0c3c850e402e1f968943fb012f5c0 | |
| parent | f596a90d3d7a03f42cedcbc9b505fefe5da5df08 (diff) | |
| download | xfsprogs-dev-e4b963e9ae98a1c7522e97eec7015d33f7eb8ab4.tar.gz | |
xfs: btree format ifork loader should check for zero numrecs
Source kernel commit: 55e45429ce3e4ac9dd2bf4937b1a499a69ccc4ca
A btree format inode fork with zero records makes no sense, so reject it
if we see it, or else we can miscalculate memory allocations. Found by
zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
| -rw-r--r-- | libxfs/xfs_inode_fork.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libxfs/xfs_inode_fork.c b/libxfs/xfs_inode_fork.c index 750d339e7f..d75db5bdbb 100644 --- a/libxfs/xfs_inode_fork.c +++ b/libxfs/xfs_inode_fork.c @@ -295,6 +295,7 @@ xfs_iformat_btree( */ if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <= XFS_IFORK_MAXEXT(ip, whichfork) || + nrecs == 0 || XFS_BMDR_SPACE_CALC(nrecs) > XFS_DFORK_SIZE(dip, mp, whichfork) || XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) || |