[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <871uxoimqf.fsf_-_@elisp.net>
Date: Mon, 18 Jul 2011 07:08:40 +0900
From: Naohiro Aota <naota@...sp.net>
To: Christoph Hellwig <hch@...radead.org>
Cc: linux-fsdevel@...r.kernel.org, Christoph Hellwig <hch@...era.com>,
Eric Sandeen <sandeen@...hat.com>,
Anton Salikhmetov <alexo@...era.com>,
Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: [PATCH v2] hfsplus: Add additional range check to handle on-disk corruptions
Christoph Hellwig <hch@...radead.org> writes:
>>
>> diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
>> index 2312de3..5c51d04 100644
>> --- a/fs/hfsplus/brec.c
>> +++ b/fs/hfsplus/brec.c
>> @@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
>> node->tree->node_size - (rec + 1) * 2);
>> if (!recoff)
>> return 0;
>> + if (recoff >= node->tree->node_size) {
>> + printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
>> + return 0;
>> + }
>
> As non-obvious as it sounds 0 is indded the canonical error return from
> hfs_brec_keylen, so that patch looks good to me. Can you resend it
> with a better title and description mentioning better validatation of
> the on-disk structures?
I've revised the patch and description.
Change from v1:
Change the check from "recoff >= node->tree->node_size" to "recoff >
node->tree->node_size - 2": Check not only the first byte but also the
last byte to be read is in to be read is in node range.
>From 68382a218dac9ba4fe659aa77e350bce3a1c365a Mon Sep 17 00:00:00 2001
From: Naohiro Aota <naota@...sp.net>
Date: Tue, 12 Jul 2011 02:54:13 +0900
'recoff' is read from disk and used for an argument to memcpy, so if
the value read from disk is larger than the page size, it result to
"general protection fault". This patch add additional range check for
the value, so that disk fuzz won't cause such fault.
Signed-off-by: Naohiro Aota <naota@...sp.net>
---
fs/hfsplus/brec.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 2312de3..2a734cf 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
node->tree->node_size - (rec + 1) * 2);
if (!recoff)
return 0;
+ if (recoff > node->tree->node_size - 2) {
+ printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
+ return 0;
+ }
retval = hfs_bnode_read_u16(node, recoff) + 2;
if (retval > node->tree->max_key_len + 2) {
--
1.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists