[PATCH V3] xfs_repair: fix agcount*agblocks overflows
Felix Blyakher
felixb at sgi.com
Thu Jul 2 00:24:31 CDT 2009
On Jul 1, 2009, at 11:13 PM, Eric Sandeen wrote:
> (V3: found another spot with this problem)
>
> The last test in verify_ag_bno() may overflow:
>
> return (agbno >= (sbp->sb_dblocks -
> ((sbp->sb_agcount - 1) * sbp->sb_agblocks)));
>
> because sb_agcount & sb_agblocks are 32-bit integers; this
> may then miss corrupt agbnos for the last ag, which can in
> turn lead to out of bounds memory accesses later, for example
> when the block nr is used to offset in set_agbno_state():
>
> addr = ba_bmap[(agno)] + (ag_blockno)/XR_BB_NUM;
>
> Similar problems in mk_incore_fstree
>
> Reported-by: Jesse Stroik <jstroik at ssec.wisc.edu>
> Signed-off-by: Eric Sandeen <sandeen at sandeen.net>
Reviewed-by: Felix Blyakher <felixb at sgi.com>
>
> ---
>
> diff --git a/repair/dinode.c b/repair/dinode.c
> index fdf52db..84e1d05 100644
> --- a/repair/dinode.c
> +++ b/repair/dinode.c
> @@ -319,7 +319,8 @@ verify_ag_bno(xfs_sb_t *sbp,
> return (agbno >= sbp->sb_agblocks);
> if (agno == (sbp->sb_agcount - 1))
> return (agbno >= (sbp->sb_dblocks -
> - ((sbp->sb_agcount - 1) * sbp->sb_agblocks)));
> + ((xfs_drfsbno_t)(sbp->sb_agcount - 1) *
> + sbp->sb_agblocks)));
> return 1;
> }
>
> diff --git a/repair/phase5.c b/repair/phase5.c
> index 2c243b6..77c7363 100644
> --- a/repair/phase5.c
> +++ b/repair/phase5.c
> @@ -113,7 +113,8 @@ mk_incore_fstree(xfs_mount_t *mp, xfs_agnumber_t
> agno)
> ag_end = mp->m_sb.sb_agblocks;
> else
> ag_end = mp->m_sb.sb_dblocks -
> - mp->m_sb.sb_agblocks * (mp->m_sb.sb_agcount - 1);
> + (xfs_drfsbno_t)mp->m_sb.sb_agblocks *
> + (mp->m_sb.sb_agcount - 1);
>
> /*
> * ok, now find the number of extents, keep track of the
>
> _______________________________________________
> xfs mailing list
> xfs at oss.sgi.com
> http://oss.sgi.com/mailman/listinfo/xfs
More information about the xfs
mailing list