xfs_repair: fix agcount*agblocks overflows

The last test in verify_ag_bno() may overflow:

return (agbno >= (sbp->sb_dblocks -
		((sbp->sb_agcount - 1) * sbp->sb_agblocks)));

because sb_agcount & sb_agblocks are 32-bit integers; this
may then miss corrupt agbnos for the last ag, which can in
turn lead to out of bounds memory accesses later, for example
when the block nr is used to offset in set_agbno_state():

	addr = ba_bmap[(agno)] + (ag_blockno)/XR_BB_NUM;

Similar problems in mk_incore_fstree

Reported-by: Jesse Stroik <jstroik@ssec.wisc.edu>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
Reviewed-by: Felix Blyakher <felixb@sgi.com>

diff --git a/repair/dinode.c b/repair/dinode.c
index fdf52db6176251566fc156e0258280eebb90d7a8..84e1d05987762d39f4e4e3a851e9cf33c43cd6f1 100644 (file)
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -319,7 +319,8 @@ verify_ag_bno(xfs_sb_t *sbp,
                return (agbno >= sbp->sb_agblocks);
        if (agno == (sbp->sb_agcount - 1)) 
                return (agbno >= (sbp->sb_dblocks -
-                               ((sbp->sb_agcount - 1) * sbp->sb_agblocks)));
+                               ((xfs_drfsbno_t)(sbp->sb_agcount - 1) *
+                                sbp->sb_agblocks)));
        return 1;
 }
 

diff --git a/repair/phase5.c b/repair/phase5.c
index 2c243b62caad9c112bd21ef82f7df2090ceb24ea..26f5aa22cc41559fcd495a7155ee761c570cd026 100644 (file)
--- a/repair/phase5.c
+++ b/repair/phase5.c
@@ -113,7 +113,8 @@ mk_incore_fstree(xfs_mount_t *mp, xfs_agnumber_t agno)
                ag_end = mp->m_sb.sb_agblocks;
        else
                ag_end = mp->m_sb.sb_dblocks -
-                       mp->m_sb.sb_agblocks * (mp->m_sb.sb_agcount - 1);
+                       (xfs_drfsbno_t)mp->m_sb.sb_agblocks *
+                       (mp->m_sb.sb_agcount - 1);
 
        /*
         * ok, now find the number of extents, keep track of the