2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Maiolino <[email protected]>
commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24 upstream
Fixes a possible memory corruption when the link is larger than
MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
S_ISLNK assert, since the inode mode is checked previously in
xfs_readlink_by_handle() and via VFS.
Updated to address concerns raised by Ben Hutchings about the loose
attention paid to 32- vs 64-bit values, and the lack of handling a
potentially negative pathlen value:
- Changed type of "pathlen" to be xfs_fsize_t, to match that of
ip->i_d.di_size
- Added checking for a negative pathlen to the too-long pathlen
test, and generalized the message that gets reported in that case
to reflect the change
As a result, if a negative pathlen were encountered, this function
would return EFSCORRUPTED (and would fail an assertion for a debug
build)--just as would a too-long pathlen.
Signed-off-by: Alex Elder <[email protected]>
Signed-off-by: Carlos Maiolino <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
[dannf: backported to Debian's 2.6.32]
Signed-off-by: Willy Tarreau <[email protected]>
---
fs/xfs/xfs_vnodeops.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
index 8f32f50..1638884 100644
--- a/fs/xfs/xfs_vnodeops.c
+++ b/fs/xfs/xfs_vnodeops.c
@@ -554,7 +554,7 @@ xfs_readlink(
char *link)
{
xfs_mount_t *mp = ip->i_mount;
- int pathlen;
+ xfs_fsize_t pathlen;
int error = 0;
xfs_itrace_entry(ip);
@@ -564,13 +564,20 @@ xfs_readlink(
xfs_ilock(ip, XFS_ILOCK_SHARED);
- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
-
pathlen = ip->i_d.di_size;
if (!pathlen)
goto out;
+ if (pathlen < 0 || pathlen > MAXPATHLEN) {
+ xfs_fs_cmn_err(CE_ALERT, mp,
+ "%s: inode (%llu) bad symlink length (%lld)",
+ __func__, (unsigned long long) ip->i_ino,
+ (long long) pathlen);
+ ASSERT(0);
+ return XFS_ERROR(EFSCORRUPTED);
+ }
+
+
if (ip->i_df.if_flags & XFS_IFINLINE) {
memcpy(link, ip->i_df.if_u1.if_data, pathlen);
link[pathlen] = '\0';
--
1.7.2.1.45.g54fbc
On Tue, Oct 02, 2012 at 12:52:43AM +0200, Willy Tarreau wrote:
> 2.6.32-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Carlos Maiolino <[email protected]>
>
> commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24 upstream
>
[...]
> @@ -564,13 +564,20 @@ xfs_readlink(
>
> xfs_ilock(ip, XFS_ILOCK_SHARED);
>
> - ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
> - ASSERT(ip->i_d.di_size <= MAXPATHLEN);
> -
> pathlen = ip->i_d.di_size;
> if (!pathlen)
> goto out;
>
> + if (pathlen < 0 || pathlen > MAXPATHLEN) {
> + xfs_fs_cmn_err(CE_ALERT, mp,
> + "%s: inode (%llu) bad symlink length (%lld)",
> + __func__, (unsigned long long) ip->i_ino,
> + (long long) pathlen);
> + ASSERT(0);
> + return XFS_ERROR(EFSCORRUPTED);
This needs a followup fix, commit 9b025eb3a89e041bab6698e3858706be2385d692
("xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()").
I think it should be also cherry-picked in this release.
> + }
> +
> +
> if (ip->i_df.if_flags & XFS_IFINLINE) {
> memcpy(link, ip->i_df.if_u1.if_data, pathlen);
> link[pathlen] = '\0';
--
[]'s
Herton
On Wed, Oct 03, 2012 at 12:01:54PM -0300, Herton Ronaldo Krzesinski wrote:
> This needs a followup fix, commit 9b025eb3a89e041bab6698e3858706be2385d692
> ("xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()").
> I think it should be also cherry-picked in this release.
Thanks Herton for the reporting this, fix queued.
Regards,
Willy