e9b290532b
- Fix block overflows in xfs_repair and xfs_metadump
85 lines
2.7 KiB
Diff
85 lines
2.7 KiB
Diff
From: Eric Sandeen <sandeen@sandeen.net>
|
|
Date: Thu, 2 Jul 2009 05:29:36 +0000 (-0500)
|
|
Subject: xfs_repair: fix agcount*agblocks overflows
|
|
X-Git-Url: http://git.kernel.org/?p=fs%2Fxfs%2Fxfsprogs-dev.git;a=commitdiff_plain;h=003e8e41124707f55b20b376a6359dc7f6292991
|
|
|
|
xfs_repair: fix agcount*agblocks overflows
|
|
|
|
The last test in verify_ag_bno() may overflow:
|
|
|
|
return (agbno >= (sbp->sb_dblocks -
|
|
((sbp->sb_agcount - 1) * sbp->sb_agblocks)));
|
|
|
|
because sb_agcount & sb_agblocks are 32-bit integers; this
|
|
may then miss corrupt agbnos for the last ag, which can in
|
|
turn lead to out of bounds memory accesses later, for example
|
|
when the block nr is used to offset in set_agbno_state():
|
|
|
|
addr = ba_bmap[(agno)] + (ag_blockno)/XR_BB_NUM;
|
|
|
|
Similar problems in mk_incore_fstree
|
|
|
|
Reported-by: Jesse Stroik <jstroik@ssec.wisc.edu>
|
|
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
|
|
Reviewed-by: Felix Blyakher <felixb@sgi.com>
|
|
---
|
|
|
|
|
|
From: Eric Sandeen <sandeen@sandeen.net>
|
|
Date: Mon, 6 Jul 2009 19:53:35 +0000 (-0500)
|
|
Subject: xfs_metadump: agcount*agblocks overflow
|
|
X-Git-Url: http://git.kernel.org/?p=fs%2Fxfs%2Fxfsprogs-dev.git;a=commitdiff_plain;h=66be354ed0dfb73566f504ac7301fab7915e9475
|
|
|
|
xfs_metadump: agcount*agblocks overflow
|
|
|
|
Found another potential overflow in xfs_metadump,
|
|
similar to those just fixed in repair.
|
|
|
|
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
|
|
Reviewed-by: Christoph Hellwig <hch@infradead.org>
|
|
---
|
|
|
|
diff --git a/repair/dinode.c b/repair/dinode.c
|
|
index fdf52db..84e1d05 100644
|
|
--- a/repair/dinode.c
|
|
+++ b/repair/dinode.c
|
|
@@ -319,7 +319,8 @@ verify_ag_bno(xfs_sb_t *sbp,
|
|
return (agbno >= sbp->sb_agblocks);
|
|
if (agno == (sbp->sb_agcount - 1))
|
|
return (agbno >= (sbp->sb_dblocks -
|
|
- ((sbp->sb_agcount - 1) * sbp->sb_agblocks)));
|
|
+ ((xfs_drfsbno_t)(sbp->sb_agcount - 1) *
|
|
+ sbp->sb_agblocks)));
|
|
return 1;
|
|
}
|
|
|
|
diff --git a/repair/phase5.c b/repair/phase5.c
|
|
index 2c243b6..26f5aa2 100644
|
|
--- a/repair/phase5.c
|
|
+++ b/repair/phase5.c
|
|
@@ -113,7 +113,8 @@ mk_incore_fstree(xfs_mount_t *mp, xfs_agnumber_t agno)
|
|
ag_end = mp->m_sb.sb_agblocks;
|
|
else
|
|
ag_end = mp->m_sb.sb_dblocks -
|
|
- mp->m_sb.sb_agblocks * (mp->m_sb.sb_agcount - 1);
|
|
+ (xfs_drfsbno_t)mp->m_sb.sb_agblocks *
|
|
+ (mp->m_sb.sb_agcount - 1);
|
|
|
|
/*
|
|
* ok, now find the number of extents, keep track of the
|
|
diff --git a/db/metadump.c b/db/metadump.c
|
|
index 19aed4f..ef6e571 100644
|
|
--- a/db/metadump.c
|
|
+++ b/db/metadump.c
|
|
@@ -222,7 +222,8 @@ valid_bno(
|
|
return 1;
|
|
if (agno == (mp->m_sb.sb_agcount - 1) && agbno > 0 &&
|
|
agbno <= (mp->m_sb.sb_dblocks -
|
|
- (mp->m_sb.sb_agcount - 1) * mp->m_sb.sb_agblocks))
|
|
+ (xfs_drfsbno_t)(mp->m_sb.sb_agcount - 1) *
|
|
+ mp->m_sb.sb_agblocks))
|
|
return 1;
|
|
|
|
return 0;
|
|
|