lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250801084145.501276-1-liuhuan01@kylinos.cn>
Date: Fri,  1 Aug 2025 16:41:46 +0800
From: liuhuan01@...inos.cn
To: cem@...nel.org
Cc: djwong@...nel.org,
	linux-xfs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	liuh <liuhuan01@...inos.cn>
Subject: [PATCH v1] xfs: prevent readdir infinite loop with billions subdirs

From: liuh <liuhuan01@...inos.cn>

When a directory contains billions subdirs, readdir() repeatedly
got same data and goes to infinate loop.
The root cause is that the pos gets truncated during assignment.
Fix it.

Signed-off-by: liuh <liuhuan01@...inos.cn>
---
 fs/xfs/xfs_dir2_readdir.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c
index 06ac5a7de60a..a7ec0d0c8070 100644
--- a/fs/xfs/xfs_dir2_readdir.c
+++ b/fs/xfs/xfs_dir2_readdir.c
@@ -465,7 +465,7 @@ xfs_dir2_leaf_getdents(
 		length = xfs_dir2_data_entsize(mp, dep->namelen);
 		filetype = xfs_dir2_data_get_ftype(mp, dep);
 
-		ctx->pos = xfs_dir2_byte_to_dataptr(curoff) & 0x7fffffff;
+		ctx->pos = xfs_dir2_byte_to_dataptr(curoff) & XFS_DIR2_MAX_DATAPTR;
 		if (XFS_IS_CORRUPT(dp->i_mount,
 				   !xfs_dir2_namecheck(dep->name,
 						       dep->namelen))) {
@@ -491,9 +491,9 @@ xfs_dir2_leaf_getdents(
 	 * All done.  Set output offset value to current offset.
 	 */
 	if (curoff > xfs_dir2_dataptr_to_byte(XFS_DIR2_MAX_DATAPTR))
-		ctx->pos = XFS_DIR2_MAX_DATAPTR & 0x7fffffff;
+		ctx->pos = XFS_DIR2_MAX_DATAPTR;
 	else
-		ctx->pos = xfs_dir2_byte_to_dataptr(curoff) & 0x7fffffff;
+		ctx->pos = xfs_dir2_byte_to_dataptr(curoff) & XFS_DIR2_MAX_DATAPTR;
 	if (bp)
 		xfs_trans_brelse(args->trans, bp);
 	return error;
-- 
2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ