xfs: don't crash the vfs on a garbage inline symlink

The VFS routine that calls ->get_link blindly copies whatever's returned into the user's buffer. If we return a NULL pointer, the vfs will crash on the null pointer. Therefore, return -EFSCORRUPTED instead of blowing up the kernel. [dgc: clean up with hch's suggestions] Reported-by: wen.xu@gatech.edu Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: N Allison Henderson <allison.henderson@oracle.com> Signed-off-by: N Dave Chinner <david@fromorbit.com>

xfs: don't crash the vfs on a garbage inline symlink
The VFS routine that calls ->get_link blindly copies whatever's returned into the user's buffer. If we return a NULL pointer, the vfs will crash on the null pointer. Therefore, return -EFSCORRUPTED instead of blowing up the kernel. [dgc: clean up with hch's suggestions] Reported-by: wen.xu@gatech.edu Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: N Allison Henderson <allison.henderson@oracle.com> Signed-off-by: N Dave Chinner <david@fromorbit.com>
ae294787 · Darrick J. Wong · Dave Chinner · 5b394b2d · ae294787
隐藏空白更改
内联并排

Showing with 11 addition and 1 deletion

fs/xfs/xfs_iops.c fs/xfs/xfs_iops.c +11 -1

未找到文件。
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -471,8 +471,18 @@ xfs_vn_get_link_inline(
 	struct inode		*inode,
 	struct delayed_call	*done)
 {
+	char			*link;
+
 	ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE);
-	return XFS_I(inode)->i_df.if_u1.if_data;
+
+	/*
+	 * The VFS crashes on a NULL pointer, so return -EFSCORRUPTED if
+	 * if_data is junk.
+	 */
+	link = XFS_I(inode)->i_df.if_u1.if_data;
+	if (!link)
+		return ERR_PTR(-EFSCORRUPTED);
+	return link;
 }

 STATIC int