xfs: btree format ifork loader should check for zero numrecs

A btree format inode fork with zero records makes no sense, so reject it if we see it, or else we can miscalculate memory allocations. Found by zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN. Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: N Brian Foster <bfoster@redhat.com>

xfs: btree format ifork loader should check for zero numrecs
A btree format inode fork with zero records makes no sense, so reject it if we see it, or else we can miscalculate memory allocations. Found by zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN. Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: N Brian Foster <bfoster@redhat.com>
55e45429 · Darrick J. Wong · 79a69bf8 · 55e45429
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

fs/xfs/libxfs/xfs_inode_fork.c fs/xfs/libxfs/xfs_inode_fork.c +1 -0

未找到文件。
--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -298,6 +298,7 @@ xfs_iformat_btree(
 	 */
 	if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <=
 					XFS_IFORK_MAXEXT(ip, whichfork) ||
+		     nrecs == 0 ||
 		     XFS_BMDR_SPACE_CALC(nrecs) >
 					XFS_DFORK_SIZE(dip, mp, whichfork) ||
 		     XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) ||