diff options
author | Darrick J. Wong <darrick.wong@oracle.com> | 2018-01-16 18:54:13 -0800 |
---|---|---|
committer | Darrick J. Wong <darrick.wong@oracle.com> | 2018-01-17 21:00:46 -0800 |
commit | 55e45429ce3e4ac9dd2bf4937b1a499a69ccc4ca (patch) | |
tree | 88ea8bcc1c3ffaa721c478044304707d2fff8835 | |
parent | 79a69bf8dc240ebeb105226a8a8540df136bf987 (diff) |
xfs: btree format ifork loader should check for zero numrecs
A btree format inode fork with zero records makes no sense, so reject it
if we see it, or else we can miscalculate memory allocations. Found by
zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
-rw-r--r-- | fs/xfs/libxfs/xfs_inode_fork.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c index c1c1a86e7f47..866d2861c625 100644 --- a/fs/xfs/libxfs/xfs_inode_fork.c +++ b/fs/xfs/libxfs/xfs_inode_fork.c @@ -298,6 +298,7 @@ xfs_iformat_btree( */ if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <= XFS_IFORK_MAXEXT(ip, whichfork) || + nrecs == 0 || XFS_BMDR_SPACE_CALC(nrecs) > XFS_DFORK_SIZE(dip, mp, whichfork) || XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) || |