提交 db52d09e 编写于 作者: E Eric Sandeen 提交者: Dave Chinner

xfs: catch invalid negative blknos in _xfs_buf_find()

Here blkno is a daddr_t, which is a __s64; it's possible to hold
a value which is negative, and thus pass the (blkno >= eofs)
test.  Then we try to do a xfs_perag_get() for a ridiculous
agno via xfs_daddr_to_agno(), and bad things happen when that
fails, and returns a null pag which is dereferenced shortly
thereafter.

Found via a user-supplied fuzzed image...
Signed-off-by: NEric Sandeen <sandeen@redhat.com>
Reviewed-by: NMark Tinguely <tinguely@sgi.com>
Signed-off-by: NDave Chinner <david@fromorbit.com>
上级 91ee575f
...@@ -461,7 +461,7 @@ _xfs_buf_find( ...@@ -461,7 +461,7 @@ _xfs_buf_find(
* have to check that the buffer falls within the filesystem bounds. * have to check that the buffer falls within the filesystem bounds.
*/ */
eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks); eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks);
if (blkno >= eofs) { if (blkno < 0 || blkno >= eofs) {
/* /*
* XXX (dgc): we should really be returning -EFSCORRUPTED here, * XXX (dgc): we should really be returning -EFSCORRUPTED here,
* but none of the higher level infrastructure supports * but none of the higher level infrastructure supports
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册