From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: darrick.wong@oracle.com
Cc: linux-xfs@vger.kernel.org, hch@infradead.org
Subject: [PATCH 6/6] xfs: check log iovec size to make sure it's plausibly a buffer log format
Date: Mon, 13 Jan 2020 22:32:09 -0800 [thread overview]
Message-ID: <157898352983.1566005.3041225371468613382.stgit@magnolia> (raw)
In-Reply-To: <157898348940.1566005.3231891474158666998.stgit@magnolia>
From: Darrick J. Wong <darrick.wong@oracle.com>
When log recovery is processing buffer log items, we should check that
the incoming iovec actually describes a region of memory large enough to
contain the log format and the dirty map.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
fs/xfs/xfs_buf_item.c | 17 +++++++++++++++++
fs/xfs/xfs_buf_item.h | 1 +
fs/xfs/xfs_log_recover.c | 6 ++++++
3 files changed, 24 insertions(+)
diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index be691d1d9fad..5be8973a452c 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -27,6 +27,23 @@ static inline struct xfs_buf_log_item *BUF_ITEM(struct xfs_log_item *lip)
STATIC void xfs_buf_do_callbacks(struct xfs_buf *bp);
+/* Is this log iovec plausibly large enough to contain the buffer log format? */
+bool
+xfs_buf_log_check_iovec(
+ struct xfs_log_iovec *iovec)
+{
+ struct xfs_buf_log_format *blfp = iovec->i_addr;
+ char *bmp_end;
+ char *item_end;
+
+ if (offsetof(struct xfs_buf_log_format, blf_data_map) > iovec->i_len)
+ return false;
+
+ item_end = (char *)iovec->i_addr + iovec->i_len;
+ bmp_end = (char *)&blfp->blf_data_map[blfp->blf_map_size];
+ return bmp_end <= item_end;
+}
+
static inline int
xfs_buf_log_format_size(
struct xfs_buf_log_format *blfp)
diff --git a/fs/xfs/xfs_buf_item.h b/fs/xfs/xfs_buf_item.h
index 4a054b11011a..30114b510332 100644
--- a/fs/xfs/xfs_buf_item.h
+++ b/fs/xfs/xfs_buf_item.h
@@ -61,6 +61,7 @@ void xfs_buf_iodone_callbacks(struct xfs_buf *);
void xfs_buf_iodone(struct xfs_buf *, struct xfs_log_item *);
bool xfs_buf_resubmit_failed_buffers(struct xfs_buf *,
struct list_head *);
+bool xfs_buf_log_check_iovec(struct xfs_log_iovec *iovec);
extern kmem_zone_t *xfs_buf_item_zone;
diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 99ec3fba4548..0d683fb96396 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -1934,6 +1934,12 @@ xlog_recover_buffer_pass1(
struct list_head *bucket;
struct xfs_buf_cancel *bcp;
+ if (!xfs_buf_log_check_iovec(&item->ri_buf[0])) {
+ xfs_err(log->l_mp, "bad buffer log item size (%d)",
+ item->ri_buf[0].i_len);
+ return -EFSCORRUPTED;
+ }
+
/*
* If this isn't a cancel buffer item, then just return.
*/
next prev parent reply other threads:[~2020-01-14 6:32 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 6:31 [PATCH v3 0/6] xfs: fix buf log item memory corruption on non-amd64 Darrick J. Wong
2020-01-14 6:31 ` [PATCH 1/6] xfs: refactor remote attr value buffer invalidation Darrick J. Wong
2020-01-14 8:30 ` Christoph Hellwig
2020-01-14 6:31 ` [PATCH 2/6] xfs: fix memory corruption during " Darrick J. Wong
2020-01-14 8:40 ` Christoph Hellwig
2020-01-14 23:02 ` Darrick J. Wong
2020-01-14 6:31 ` [PATCH 3/6] xfs: clean up xfs_buf_item_get_format return value Darrick J. Wong
2020-01-14 6:31 ` [PATCH 4/6] xfs: complain if anyone tries to create a too-large buffer log item Darrick J. Wong
2020-01-14 6:32 ` [PATCH 5/6] xfs: make struct xfs_buf_log_format have a consistent size Darrick J. Wong
2020-01-14 8:41 ` Christoph Hellwig
2020-01-14 6:32 ` Darrick J. Wong [this message]
2020-01-14 8:42 ` [PATCH 6/6] xfs: check log iovec size to make sure it's plausibly a buffer log format Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=157898352983.1566005.3041225371468613382.stgit@magnolia \
--to=darrick.wong@oracle.com \
--cc=hch@infradead.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).