Message ID | 1377855331-17014-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
Seems to be according to the upstream changes.
On Fri, Aug 30, 2013 at 10:35:31AM +0100, Luis Henriques wrote: > From: Dave Chinner <dchinner@redhat.com> > > CVE-2013-1819 > > BugLink: http://bugs.launchpad.net/bugs/1151527 > > When _xfs_buf_find is passed an out of range address, it will fail > to find a relevant struct xfs_perag and oops with a null > dereference. This can happen when trying to walk a filesystem with a > metadata inode that has a partially corrupted extent map (i.e. the > block number returned is corrupt, but is otherwise intact) and we > try to read from the corrupted block address. > > In this case, just fail the lookup. If it is readahead being issued, > it will simply not be done, but if it is real read that fails we > will get an error being reported. Ideally this case should result > in an EFSCORRUPTED error being reported, but we cannot return an > error through xfs_buf_read() or xfs_buf_get() so this lookup failure > may result in ENOMEM or EIO errors being reported instead. > > Signed-off-by: Dave Chinner <dchinner@redhat.com> > Reviewed-by: Brian Foster <bfoster@redhat.com> > Reviewed-by: Ben Myers <bpm@sgi.com> > Signed-off-by: Ben Myers <bpm@sgi.com> > (back ported from commit eb178619f930fa2ba2348de332a1ff1c66a31424) > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > fs/xfs/xfs_buf.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c > index 9fade8c..3b8a9cd 100644 > --- a/fs/xfs/xfs_buf.c > +++ b/fs/xfs/xfs_buf.c > @@ -435,6 +435,7 @@ _xfs_buf_find( > struct rb_node **rbp; > struct rb_node *parent; > xfs_buf_t *bp; > + xfs_daddr_t eofs; > > numbytes = BBTOB(numblks); > > @@ -442,6 +443,23 @@ _xfs_buf_find( > ASSERT(!(numbytes < (1 << btp->bt_sshift))); > ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask)); > > + /* > + * Corrupted block numbers can get through to here, unfortunately, so we > + * have to check that the buffer falls within the filesystem bounds. > + */ > + eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks); > + if (blkno >= eofs) { > + /* > + * XXX (dgc): we should really be returning EFSCORRUPTED here, > + * but none of the higher level infrastructure supports > + * returning a specific error on buffer lookup failures. > + */ > + xfs_alert(btp->bt_mount, > + "%s: Block out of range: block 0x%llx, EOFS 0x%llx ", > + __func__, blkno, eofs); > + return NULL; > + } > + > /* get tree root */ > pag = xfs_perag_get(btp->bt_mount, > xfs_daddr_to_agno(btp->bt_mount, blkno)); Seems to match the backported commit and its intent seems appropriate. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to Quantal. -apw
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 9fade8c..3b8a9cd 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -435,6 +435,7 @@ _xfs_buf_find( struct rb_node **rbp; struct rb_node *parent; xfs_buf_t *bp; + xfs_daddr_t eofs; numbytes = BBTOB(numblks); @@ -442,6 +443,23 @@ _xfs_buf_find( ASSERT(!(numbytes < (1 << btp->bt_sshift))); ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask)); + /* + * Corrupted block numbers can get through to here, unfortunately, so we + * have to check that the buffer falls within the filesystem bounds. + */ + eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks); + if (blkno >= eofs) { + /* + * XXX (dgc): we should really be returning EFSCORRUPTED here, + * but none of the higher level infrastructure supports + * returning a specific error on buffer lookup failures. + */ + xfs_alert(btp->bt_mount, + "%s: Block out of range: block 0x%llx, EOFS 0x%llx ", + __func__, blkno, eofs); + return NULL; + } + /* get tree root */ pag = xfs_perag_get(btp->bt_mount, xfs_daddr_to_agno(btp->bt_mount, blkno));