mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 20:22:09 +00:00
xfs: check log iovec size to make sure it's plausibly a buffer log format
When log recovery is processing buffer log items, we should check that the incoming iovec actually describes a region of memory large enough to contain the log format and the dirty map. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Christoph Hellwig <hch@lst.de>
This commit is contained in:
parent
b7df5e9205
commit
8a6453a89d
@ -27,6 +27,23 @@ static inline struct xfs_buf_log_item *BUF_ITEM(struct xfs_log_item *lip)
|
||||
|
||||
STATIC void xfs_buf_do_callbacks(struct xfs_buf *bp);
|
||||
|
||||
/* Is this log iovec plausibly large enough to contain the buffer log format? */
|
||||
bool
|
||||
xfs_buf_log_check_iovec(
|
||||
struct xfs_log_iovec *iovec)
|
||||
{
|
||||
struct xfs_buf_log_format *blfp = iovec->i_addr;
|
||||
char *bmp_end;
|
||||
char *item_end;
|
||||
|
||||
if (offsetof(struct xfs_buf_log_format, blf_data_map) > iovec->i_len)
|
||||
return false;
|
||||
|
||||
item_end = (char *)iovec->i_addr + iovec->i_len;
|
||||
bmp_end = (char *)&blfp->blf_data_map[blfp->blf_map_size];
|
||||
return bmp_end <= item_end;
|
||||
}
|
||||
|
||||
static inline int
|
||||
xfs_buf_log_format_size(
|
||||
struct xfs_buf_log_format *blfp)
|
||||
|
@ -61,6 +61,7 @@ void xfs_buf_iodone_callbacks(struct xfs_buf *);
|
||||
void xfs_buf_iodone(struct xfs_buf *, struct xfs_log_item *);
|
||||
bool xfs_buf_resubmit_failed_buffers(struct xfs_buf *,
|
||||
struct list_head *);
|
||||
bool xfs_buf_log_check_iovec(struct xfs_log_iovec *iovec);
|
||||
|
||||
extern kmem_zone_t *xfs_buf_item_zone;
|
||||
|
||||
|
@ -1934,6 +1934,12 @@ xlog_recover_buffer_pass1(
|
||||
struct list_head *bucket;
|
||||
struct xfs_buf_cancel *bcp;
|
||||
|
||||
if (!xfs_buf_log_check_iovec(&item->ri_buf[0])) {
|
||||
xfs_err(log->l_mp, "bad buffer log item size (%d)",
|
||||
item->ri_buf[0].i_len);
|
||||
return -EFSCORRUPTED;
|
||||
}
|
||||
|
||||
/*
|
||||
* If this isn't a cancel buffer item, then just return.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user