mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
Changes since the last update:
- Fix dirent nameoff handling to avoid out-of-bound reads
out of crafted images
- Fix two type truncation issues on 32-bit platforms
-----BEGIN PGP SIGNATURE-----
iQJFBAABCgAvFiEEQ0A6bDUS9Y+83NPFUXZn5Zlu5qoFAmnnueoRHHhpYW5nQGtl
cm5lbC5vcmcACgkQUXZn5Zlu5qq96Q/9E0jTTtPQiuMe9vL0+vDftVMDSQXprjaW
J6Ax14gt1VAFfvTT04tf9BYXtdilJP5S8uP/mwi9Z6mHmE50cRbGzmRmvBhL1F9b
cgJvYQYABGpQ8mSYyUQ02lT/ZpjuUVorgwYzcYvYL6ZDPdKq/ANgBC7ZfJHZG0Kh
uEZyCbujmn6wFSmsPkpMWBoG2uwuD/zkZIr/+/V8CMlp7BhpcBWYnIi0cziF4QnY
IGhzLj75e5jsyOFOxmF26ubDh1vCSkkXkE7h2UP+7H11RK4kh4tZ01Fgc6A8sK8z
umXHKFb2N9naAFIkJuOJsYjqIQgVWSdEbu0IGarfxH+rd9D22SS0U0mt++CGlcPE
a1lhmCNh77jdcgqzny+KUhga/FmGNpPw9S/2MvRc3ybUCOCzpcT7YwKlLyYF9u8F
0eXrLLtrveibmIriVyYHzt3xJnRM+MaJqULTiCs+AsgM6HY2ZjU1hbpfjBeiAj24
PqmSXAxRleACQJv/qwyJ8h7/Fm53ikjOlRnhKjQxreIDW7F0/3FYTwE9nbfkPSaR
fXPUR8YXzIO9rpBXOplX+HHkQMHE0SAH64nU9bMOXzo+FV4kh9RfmZtudQCilegW
/k5IGNmnXybRVkgafZdrz5iBTCw+k0OM9gE145bJfevNwQNS+SsJD/HO38H1asy7
Jr1NL9qQ8Io=
=sbRm
-----END PGP SIGNATURE-----
Merge tag 'erofs-for-7.1-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
Pull erofs fixes from Gao Xiang:
- Fix dirent nameoff handling to avoid out-of-bound reads
out of crafted images
- Fix two type truncation issues on 32-bit platforms
* tag 'erofs-for-7.1-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
erofs: unify lcn as u64 for 32-bit platforms
erofs: fix offset truncation when shifting pgoff on 32-bit platforms
erofs: fix the out-of-bounds nameoff handling for trailing dirents
This commit is contained in:
Linus Torvalds
commit
6fdca3c5ab
|
|
@ -39,7 +39,7 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
|
|||
* However, the data access range must be verified here in advance.
|
||||
*/
|
||||
if (buf->file) {
|
||||
fpos = index << PAGE_SHIFT;
|
||||
fpos = (loff_t)index << PAGE_SHIFT;
|
||||
err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
|
||||
if (err < 0)
|
||||
return ERR_PTR(err);
|
||||
|
|
|
|||
|
|
@ -19,20 +19,18 @@ static int erofs_fill_dentries(struct inode *dir, struct dir_context *ctx,
|
|||
const char *de_name = (char *)dentry_blk + nameoff;
|
||||
unsigned int de_namelen;
|
||||
|
||||
/* the last dirent in the block? */
|
||||
if (de + 1 >= end)
|
||||
de_namelen = strnlen(de_name, maxsize - nameoff);
|
||||
else
|
||||
/* non-trailing dirent in the directory block? */
|
||||
if (de + 1 < end)
|
||||
de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
|
||||
else if (maxsize <= nameoff)
|
||||
goto err_bogus;
|
||||
else
|
||||
de_namelen = strnlen(de_name, maxsize - nameoff);
|
||||
|
||||
/* a corrupted entry is found */
|
||||
if (nameoff + de_namelen > maxsize ||
|
||||
de_namelen > EROFS_NAME_LEN) {
|
||||
erofs_err(dir->i_sb, "bogus dirent @ nid %llu",
|
||||
EROFS_I(dir)->nid);
|
||||
DBG_BUGON(1);
|
||||
return -EFSCORRUPTED;
|
||||
}
|
||||
/* a corrupted entry is found (including negative namelen) */
|
||||
if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||
|
||||
nameoff + de_namelen > maxsize)
|
||||
goto err_bogus;
|
||||
|
||||
if (!dir_emit(ctx, de_name, de_namelen,
|
||||
erofs_nid_to_ino64(EROFS_SB(dir->i_sb),
|
||||
|
|
@ -42,6 +40,10 @@ static int erofs_fill_dentries(struct inode *dir, struct dir_context *ctx,
|
|||
ctx->pos += sizeof(struct erofs_dirent);
|
||||
}
|
||||
return 0;
|
||||
err_bogus:
|
||||
erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);
|
||||
DBG_BUGON(1);
|
||||
return -EFSCORRUPTED;
|
||||
}
|
||||
|
||||
static int erofs_readdir(struct file *f, struct dir_context *ctx)
|
||||
|
|
@ -88,7 +90,7 @@ static int erofs_readdir(struct file *f, struct dir_context *ctx)
|
|||
}
|
||||
|
||||
nameoff = le16_to_cpu(de->nameoff);
|
||||
if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) {
|
||||
if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) {
|
||||
erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu",
|
||||
nameoff, EROFS_I(dir)->nid);
|
||||
err = -EFSCORRUPTED;
|
||||
|
|
|
|||
|
|
@ -1872,7 +1872,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_frontend *f,
|
|||
|
||||
if (cur < PAGE_SIZE)
|
||||
break;
|
||||
cur = (index << PAGE_SHIFT) - 1;
|
||||
cur = ((loff_t)index << PAGE_SHIFT) - 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
struct z_erofs_maprecorder {
|
||||
struct inode *inode;
|
||||
struct erofs_map_blocks *map;
|
||||
unsigned long lcn;
|
||||
u64 lcn;
|
||||
/* compression extent information gathered */
|
||||
u8 type, headtype;
|
||||
u16 clusterofs;
|
||||
|
|
@ -20,8 +20,7 @@ struct z_erofs_maprecorder {
|
|||
bool partialref, in_mbox;
|
||||
};
|
||||
|
||||
static int z_erofs_load_full_lcluster(struct z_erofs_maprecorder *m,
|
||||
unsigned long lcn)
|
||||
static int z_erofs_load_full_lcluster(struct z_erofs_maprecorder *m, u64 lcn)
|
||||
{
|
||||
struct inode *const inode = m->inode;
|
||||
struct erofs_inode *const vi = EROFS_I(inode);
|
||||
|
|
@ -94,7 +93,7 @@ static int get_compacted_la_distance(unsigned int lobits,
|
|||
}
|
||||
|
||||
static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m,
|
||||
unsigned long lcn, bool lookahead)
|
||||
u64 lcn, bool lookahead)
|
||||
{
|
||||
struct inode *const inode = m->inode;
|
||||
struct erofs_inode *const vi = EROFS_I(inode);
|
||||
|
|
@ -234,7 +233,7 @@ static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m,
|
|||
}
|
||||
|
||||
static int z_erofs_load_lcluster_from_disk(struct z_erofs_maprecorder *m,
|
||||
unsigned int lcn, bool lookahead)
|
||||
u64 lcn, bool lookahead)
|
||||
{
|
||||
struct erofs_inode *vi = EROFS_I(m->inode);
|
||||
int err;
|
||||
|
|
@ -249,7 +248,7 @@ static int z_erofs_load_lcluster_from_disk(struct z_erofs_maprecorder *m,
|
|||
return err;
|
||||
|
||||
if (m->type >= Z_EROFS_LCLUSTER_TYPE_MAX) {
|
||||
erofs_err(m->inode->i_sb, "unknown type %u @ lcn %u of nid %llu",
|
||||
erofs_err(m->inode->i_sb, "unknown type %u @ lcn %llu of nid %llu",
|
||||
m->type, lcn, EROFS_I(m->inode)->nid);
|
||||
DBG_BUGON(1);
|
||||
return -EOPNOTSUPP;
|
||||
|
|
@ -269,7 +268,7 @@ static int z_erofs_extent_lookback(struct z_erofs_maprecorder *m,
|
|||
const unsigned int lclusterbits = vi->z_lclusterbits;
|
||||
|
||||
while (m->lcn >= lookback_distance) {
|
||||
unsigned long lcn = m->lcn - lookback_distance;
|
||||
u64 lcn = m->lcn - lookback_distance;
|
||||
int err;
|
||||
|
||||
if (!lookback_distance)
|
||||
|
|
@ -286,7 +285,7 @@ static int z_erofs_extent_lookback(struct z_erofs_maprecorder *m,
|
|||
m->map->m_la = (lcn << lclusterbits) | m->clusterofs;
|
||||
return 0;
|
||||
}
|
||||
erofs_err(sb, "bogus lookback distance %u @ lcn %lu of nid %llu",
|
||||
erofs_err(sb, "bogus lookback distance %u @ lcn %llu of nid %llu",
|
||||
lookback_distance, m->lcn, vi->nid);
|
||||
DBG_BUGON(1);
|
||||
return -EFSCORRUPTED;
|
||||
|
|
@ -300,7 +299,7 @@ static int z_erofs_get_extent_compressedlen(struct z_erofs_maprecorder *m,
|
|||
struct erofs_inode *vi = EROFS_I(inode);
|
||||
bool bigpcl1 = vi->z_advise & Z_EROFS_ADVISE_BIG_PCLUSTER_1;
|
||||
bool bigpcl2 = vi->z_advise & Z_EROFS_ADVISE_BIG_PCLUSTER_2;
|
||||
unsigned long lcn = m->lcn + 1;
|
||||
u64 lcn = m->lcn + 1;
|
||||
int err;
|
||||
|
||||
DBG_BUGON(m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD);
|
||||
|
|
@ -331,7 +330,7 @@ static int z_erofs_get_extent_compressedlen(struct z_erofs_maprecorder *m,
|
|||
m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD);
|
||||
|
||||
if (m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD && m->delta[0] != 1) {
|
||||
erofs_err(sb, "bogus CBLKCNT @ lcn %lu of nid %llu", lcn, vi->nid);
|
||||
erofs_err(sb, "bogus CBLKCNT @ lcn %llu of nid %llu", lcn, vi->nid);
|
||||
DBG_BUGON(1);
|
||||
return -EFSCORRUPTED;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user