xfs: btree format ifork loader should check for zero numrecs

Source kernel commit: 55e45429ce3e4ac9dd2bf4937b1a499a69ccc4ca

A btree format inode fork with zero records makes no sense, so reject it
if we see it, or else we can miscalculate memory allocations.  Found by
zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

diff --git a/libxfs/xfs_inode_fork.c b/libxfs/xfs_inode_fork.c
index 750d339e7f1ae318942e4c12e03c3e6cbb24a31b..d75db5bdbbbb751b1972acf1b5583fd53c96078b 100644 (file)
--- a/libxfs/xfs_inode_fork.c
+++ b/libxfs/xfs_inode_fork.c
@@ -295,6 +295,7 @@ xfs_iformat_btree(
         */
        if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <=
                                        XFS_IFORK_MAXEXT(ip, whichfork) ||
+                    nrecs == 0 ||
                     XFS_BMDR_SPACE_CALC(nrecs) >
                                        XFS_DFORK_SIZE(dip, mp, whichfork) ||
                     XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) ||