ext4: fix ext4_empty_dir() for directories with holes
commit64d4ce8923upstream. Function ext4_empty_dir() doesn't correctly handle directories with holes and crashes on bh->b_data dereference when bh is NULL. Reorganize the loop to use 'offset' variable all the times instead of comparing pointers to current direntry with bh->b_data pointer. Also add more strict checking of '.' and '..' directory entries to avoid entering loop in possibly invalid state on corrupted filesystems. References: CVE-2019-19037 CC: stable@vger.kernel.org Fixes:4e19d6b65f("ext4: allow directory holes") Signed-off-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20191202170213.4761-2-jack@suse.cz Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Jan Kara
Greg Kroah-Hartman
parent
bc8ccc0d4f
commit
6cc4ccdd0b
|
|
@ -2808,7 +2808,7 @@ bool ext4_empty_dir(struct inode *inode)
|
|||
{
|
||||
unsigned int offset;
|
||||
struct buffer_head *bh;
|
||||
struct ext4_dir_entry_2 *de, *de1;
|
||||
struct ext4_dir_entry_2 *de;
|
||||
struct super_block *sb;
|
||||
|
||||
if (ext4_has_inline_data(inode)) {
|
||||
|
|
@ -2833,19 +2833,25 @@ bool ext4_empty_dir(struct inode *inode)
|
|||
return true;
|
||||
|
||||
de = (struct ext4_dir_entry_2 *) bh->b_data;
|
||||
de1 = ext4_next_entry(de, sb->s_blocksize);
|
||||
if (le32_to_cpu(de->inode) != inode->i_ino ||
|
||||
le32_to_cpu(de1->inode) == 0 ||
|
||||
strcmp(".", de->name) || strcmp("..", de1->name)) {
|
||||
ext4_warning_inode(inode, "directory missing '.' and/or '..'");
|
||||
if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
|
||||
0) ||
|
||||
le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) {
|
||||
ext4_warning_inode(inode, "directory missing '.'");
|
||||
brelse(bh);
|
||||
return true;
|
||||
}
|
||||
offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) +
|
||||
ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize);
|
||||
de = ext4_next_entry(de1, sb->s_blocksize);
|
||||
offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
|
||||
de = ext4_next_entry(de, sb->s_blocksize);
|
||||
if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
|
||||
offset) ||
|
||||
le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {
|
||||
ext4_warning_inode(inode, "directory missing '..'");
|
||||
brelse(bh);
|
||||
return true;
|
||||
}
|
||||
offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
|
||||
while (offset < inode->i_size) {
|
||||
if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) {
|
||||
if (!(offset & (sb->s_blocksize - 1))) {
|
||||
unsigned int lblock;
|
||||
brelse(bh);
|
||||
lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
|
||||
|
|
@ -2856,12 +2862,11 @@ bool ext4_empty_dir(struct inode *inode)
|
|||
}
|
||||
if (IS_ERR(bh))
|
||||
return true;
|
||||
de = (struct ext4_dir_entry_2 *) bh->b_data;
|
||||
}
|
||||
de = (struct ext4_dir_entry_2 *) (bh->b_data +
|
||||
(offset & (sb->s_blocksize - 1)));
|
||||
if (ext4_check_dir_entry(inode, NULL, de, bh,
|
||||
bh->b_data, bh->b_size, offset)) {
|
||||
de = (struct ext4_dir_entry_2 *)(bh->b_data +
|
||||
sb->s_blocksize);
|
||||
offset = (offset | (sb->s_blocksize - 1)) + 1;
|
||||
continue;
|
||||
}
|
||||
|
|
@ -2870,7 +2875,6 @@ bool ext4_empty_dir(struct inode *inode)
|
|||
return false;
|
||||
}
|
||||
offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
|
||||
de = ext4_next_entry(de, sb->s_blocksize);
|
||||
}
|
||||
brelse(bh);
|
||||
return true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue