From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com,
Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 24/30] reiserfs: check directory items on read from disk
Date: Fri, 13 Aug 2021 17:06:52 +0200 [thread overview]
Message-ID: <20210813150523.223823137@linuxfoundation.org> (raw)
In-Reply-To: <20210813150522.445553924@linuxfoundation.org>
From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ]
While verifying the leaf item that we read from the disk, reiserfs
doesn't check the directory items, this could cause a crash when we
read a directory item from the disk that has an invalid deh_location.
This patch adds a check to the directory items read from the disk that
does a bounds check on deh_location for the directory entries. Any
directory entry header with a directory entry offset greater than the
item length is considered invalid.
Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com
Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
index 25b2aed9af0b..f2f7055303ca 100644
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -386,6 +386,24 @@ void pathrelse(struct treepath *search_path)
search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
}
+static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
+{
+ struct reiserfs_de_head *deh;
+ int i;
+
+ deh = B_I_DEH(bh, ih);
+ for (i = 0; i < ih_entry_count(ih); i++) {
+ if (deh_location(&deh[i]) > ih_item_len(ih)) {
+ reiserfs_warning(NULL, "reiserfs-5094",
+ "directory entry location seems wrong %h",
+ &deh[i]);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
{
struct block_head *blkh;
@@ -453,11 +471,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
"(second one): %h", ih);
return 0;
}
- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
- reiserfs_warning(NULL, "reiserfs-5093",
- "item entry count seems wrong %h",
- ih);
- return 0;
+ if (is_direntry_le_ih(ih)) {
+ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
+ reiserfs_warning(NULL, "reiserfs-5093",
+ "item entry count seems wrong %h",
+ ih);
+ return 0;
+ }
+ return has_valid_deh_location(bh, ih);
}
prev_location = ih_location(ih);
}
--
2.30.2
next prev parent reply other threads:[~2021-08-13 15:11 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-13 15:06 [PATCH 4.9 00/30] 4.9.280-rc1 review Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 01/30] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 02/30] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 03/30] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 04/30] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 05/30] mips: Fix non-POSIX regexp Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 06/30] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 07/30] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 08/30] net: fec: fix use-after-free in fec_drv_remove Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 09/30] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 10/30] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 11/30] USB: usbtmc: Fix RCU stall warning Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 12/30] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 13/30] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 14/30] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 15/30] usb: otg-fsm: Fix hrtimer list corruption Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 16/30] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 17/30] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 18/30] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 19/30] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 20/30] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 21/30] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 22/30] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 23/30] reiserfs: add check for root_inode in reiserfs_fill_super Greg Kroah-Hartman
2021-08-13 15:06 ` Greg Kroah-Hartman [this message]
2021-08-13 15:06 ` [PATCH 4.9 25/30] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 26/30] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 27/30] USB:ehci:fix Kunpeng920 ehci hardware problem Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 28/30] ppp: Fix generating ppp unit id when ifname is not specified Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 29/30] net: xilinx_emaclite: Do not print real IOMEM pointer Greg Kroah-Hartman
2021-08-13 15:06 ` [PATCH 4.9 30/30] ovl: prevent private clone if bind mount is not allowed Greg Kroah-Hartman
2021-08-13 23:26 ` [PATCH 4.9 00/30] 4.9.280-rc1 review Shuah Khan
2021-08-14 14:12 ` Naresh Kamboju
2021-08-14 19:50 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210813150523.223823137@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chouhan.shreyansh630@gmail.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.