[Acked] [Quantal][CVE-2013-1819] xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end

Andy Whitcroft apw at canonical.com
Mon Sep 2 13:06:23 UTC 2013 

On Fri, Aug 30, 2013 at 10:35:31AM +0100, Luis Henriques wrote:
> From: Dave Chinner <dchinner at redhat.com>
> 
> CVE-2013-1819
> 
> BugLink: http://bugs.launchpad.net/bugs/1151527
> 
> When _xfs_buf_find is passed an out of range address, it will fail
> to find a relevant struct xfs_perag and oops with a null
> dereference. This can happen when trying to walk a filesystem with a
> metadata inode that has a partially corrupted extent map (i.e. the
> block number returned is corrupt, but is otherwise intact) and we
> try to read from the corrupted block address.
> 
> In this case, just fail the lookup. If it is readahead being issued,
> it will simply not be done, but if it is real read that fails we
> will get an error being reported.  Ideally this case should result
> in an EFSCORRUPTED error being reported, but we cannot return an
> error through xfs_buf_read() or xfs_buf_get() so this lookup failure
> may result in ENOMEM or EIO errors being reported instead.
> 
> Signed-off-by: Dave Chinner <dchinner at redhat.com>
> Reviewed-by: Brian Foster <bfoster at redhat.com>
> Reviewed-by: Ben Myers <bpm at sgi.com>
> Signed-off-by: Ben Myers <bpm at sgi.com>
> (back ported from commit eb178619f930fa2ba2348de332a1ff1c66a31424)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  fs/xfs/xfs_buf.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
> index 9fade8c..3b8a9cd 100644
> --- a/fs/xfs/xfs_buf.c
> +++ b/fs/xfs/xfs_buf.c
> @@ -435,6 +435,7 @@ _xfs_buf_find(
>  	struct rb_node		**rbp;
>  	struct rb_node		*parent;
>  	xfs_buf_t		*bp;
> +	xfs_daddr_t		eofs;
>  
>  	numbytes = BBTOB(numblks);
>  
> @@ -442,6 +443,23 @@ _xfs_buf_find(
>  	ASSERT(!(numbytes < (1 << btp->bt_sshift)));
>  	ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask));
>  
> +	/*
> +	 * Corrupted block numbers can get through to here, unfortunately, so we
> +	 * have to check that the buffer falls within the filesystem bounds.
> +	 */
> +	eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks);
> +	if (blkno >= eofs) {
> +		/*
> +		 * XXX (dgc): we should really be returning EFSCORRUPTED here,
> +		 * but none of the higher level infrastructure supports
> +		 * returning a specific error on buffer lookup failures.
> +		 */
> +		xfs_alert(btp->bt_mount,
> +			  "%s: Block out of range: block 0x%llx, EOFS 0x%llx ",
> +			  __func__, blkno, eofs);
> +		return NULL;
> +	}
> +
>  	/* get tree root */
>  	pag = xfs_perag_get(btp->bt_mount,
>  				xfs_daddr_to_agno(btp->bt_mount, blkno));

Seems to match the backported commit and its intent seems appropriate.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

More information about the kernel-team mailing list