Message-Id: <20201028155550.24680-1-lhenriques@suse.de>
Date:   Wed, 28 Oct 2020 15:55:50 +0000
From:   Luis Henriques <lhenriques@...e.de>
To:     tytso@....edu
Cc:     linux-ext4@...r.kernel.org, Luis Henriques <lhenriques@...e.de>
Subject: [PATCH] filefrag: handle invalid st_dev and blksize cases

It is possible to crash filefrag with a "Floating point exception" in
two different scenarios:

1. When fstat() returns a device ID set to 0
2. When FIGETBSZ ioctl returns a blocksize of 0

In both scenarios a divide-by-zero will occur in frag_report() because
variable blksize will be set to zero.

I've managed to trigger this crash with an old CephFS kernel client,
using xfstest generic/519.  The first scenario has been fixed by kernel
commit 75c9627efb72 ("ceph: map snapid to anonymous bdev ID").  The
second scenario is also fixed with commit 8f97d1e99149 ("vfs: fix
FIGETBSZ ioctl on an overlayfs file").

However, it is desirable to handle these two scenarios gracefully by
checking these conditions explicitly.

Signed-off-by: Luis Henriques <lhenriques@...e.de>
---
 misc/filefrag.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/misc/filefrag.c b/misc/filefrag.c
index 6308bc6d1f91..62d583b2ea23 100644
--- a/misc/filefrag.c
+++ b/misc/filefrag.c
@@ -438,13 +438,13 @@ static int frag_report(const char *filename)
 		goto out_close;
 	}
 
-	if (last_device != st.st_dev) {
+	if ((last_device != st.st_dev) || !st.st_dev) {
 		if (fstatfs(fd, &fsinfo) < 0) {
 			rc = -errno;
 			perror("fstatfs");
 			goto out_close;
 		}
-		if (ioctl(fd, FIGETBSZ, &blksize) < 0)
+		if ((ioctl(fd, FIGETBSZ, &blksize) < 0) || !blksize)
 			blksize = fsinfo.f_bsize;
 		if (verbose)
 			printf("Filesystem type is: %lx\n",

Powered by blists - more mailing lists