| To: | Eric Sandeen <sandeen@xxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] xfs: catch invalid negative blknos in _xfs_buf_find() |
| From: | Mark Tinguely <tinguely@xxxxxxx> |
| Date: | Wed, 26 Nov 2014 10:38:05 -0600 |
| Cc: | xfs-oss <xfs@xxxxxxxxxxx> |
| Delivered-to: | xfs@xxxxxxxxxxx |
| In-reply-to: | <546D15E3.5000200@xxxxxxxxxx> |
| References: | <546D15E3.5000200@xxxxxxxxxx> |
| User-agent: | Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120122 Thunderbird/9.0 |
On 11/19/14 16:12, Eric Sandeen wrote: Here blkno is a daddr_t, which is a __s64; it's possible to hold a value which is negative, and thus pass the (blkno>= eofs) test. Then we try to do a xfs_perag_get() for a ridiculous agno via xfs_daddr_to_agno(), and bad things happen when that fails, and returns a null pag which is dereferenced shortly thereafter. Found via a user-supplied fuzzed image... Signed-off-by: Eric Sandeen<sandeen@xxxxxxxxxx> --- Looks good.I did a little playing with sending the try lock failure (EAGAIN?) and EFSCORRUPT error status up the stack. It looked straight forward and could save a xfs_buf allocation when we know it is not necessary. Reviewed-by: Mark Tinguely <tinguely@xxxxxxx> |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] xfs: catch invalid negative blknos in _xfs_buf_find(), Eric Sandeen |
|---|---|
| Next by Date: | [PATCH 2/5] xfs: move acl structures to xfs_format.h, Christoph Hellwig |
| Previous by Thread: | Re: [PATCH] xfs: catch invalid negative blknos in _xfs_buf_find(), Eric Sandeen |
| Next by Thread: | I'm interested in your product, ALIBABA . COM |
| Indexes: | [Date] [Thread] [Top] [All Lists] |