]>
Commit | Line | Data |
---|---|---|
f83c3543 GKH |
1 | From d8fd150fe3935e1692bf57c66691e17409ebb9c1 Mon Sep 17 00:00:00 2001 |
2 | From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> | |
3 | Date: Tue, 5 May 2015 16:24:00 -0700 | |
4 | Subject: nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() | |
5 | ||
6 | From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> | |
7 | ||
8 | commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 upstream. | |
9 | ||
10 | The range check for b-tree level parameter in nilfs_btree_root_broken() | |
11 | is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even | |
12 | though the level is limited to values in the range of 0 to | |
13 | (NILFS_BTREE_LEVEL_MAX - 1). | |
14 | ||
15 | Since the level parameter is read from storage device and used to index | |
16 | nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it | |
17 | can cause memory overrun during btree operations if the boundary value | |
18 | is set to the level parameter on device. | |
19 | ||
20 | This fixes the broken sanity check and adds a comment to clarify that | |
21 | the upper bound NILFS_BTREE_LEVEL_MAX is exclusive. | |
22 | ||
23 | Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> | |
24 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
25 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
27 | ||
28 | --- | |
29 | fs/nilfs2/btree.c | 2 +- | |
30 | include/linux/nilfs2_fs.h | 2 +- | |
31 | 2 files changed, 2 insertions(+), 2 deletions(-) | |
32 | ||
33 | --- a/fs/nilfs2/btree.c | |
34 | +++ b/fs/nilfs2/btree.c | |
35 | @@ -388,7 +388,7 @@ static int nilfs_btree_root_broken(const | |
36 | nchildren = nilfs_btree_node_get_nchildren(node); | |
37 | ||
38 | if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || | |
39 | - level > NILFS_BTREE_LEVEL_MAX || | |
40 | + level >= NILFS_BTREE_LEVEL_MAX || | |
41 | nchildren < 0 || | |
42 | nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) { | |
43 | pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n", | |
44 | --- a/include/linux/nilfs2_fs.h | |
45 | +++ b/include/linux/nilfs2_fs.h | |
46 | @@ -458,7 +458,7 @@ struct nilfs_btree_node { | |
47 | /* level */ | |
48 | #define NILFS_BTREE_LEVEL_DATA 0 | |
49 | #define NILFS_BTREE_LEVEL_NODE_MIN (NILFS_BTREE_LEVEL_DATA + 1) | |
50 | -#define NILFS_BTREE_LEVEL_MAX 14 | |
51 | +#define NILFS_BTREE_LEVEL_MAX 14 /* Max level (exclusive) */ | |
52 | ||
53 | /** | |
54 | * struct nilfs_palloc_group_desc - block group descriptor |