From: Darrick J. Wong Date: Tue, 27 Feb 2018 04:43:17 +0000 (-0600) Subject: xfs: harden directory integrity checks some more X-Git-Tag: v4.16.0-rc1~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=493b46c4d9a1dbf636a1f3452c1ac36232ede6f4;p=thirdparty%2Fxfsprogs-dev.git xfs: harden directory integrity checks some more Source kernel commit: 46c59736d8090e602f960aeaf1c6b8292151bf38 If a malicious filesystem image contains a block+ format directory wherein the directory inode's core.mode is set such that S_ISDIR(core.mode) == 0, and if there are subdirectories of the corrupted directory, an attempt to traverse up the directory tree will crash the kernel in __xfs_dir3_data_check. Running the online scrub's parent checks will tend to do this. The crash occurs because the directory inode's d_ops get set to xfs_dir[23]_nondir_ops (it's not a directory) but the parent pointer scrubber's indiscriminate call to xfs_readdir proceeds past the ASSERT if we have non fatal asserts configured. Fix the null pointer dereference crash in __xfs_dir3_data_check by looking for S_ISDIR or wrong d_ops; and teach the parent scrubber to bail out if it is fed a non-directory "parent". Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Signed-off-by: Eric Sandeen --- diff --git a/libxfs/xfs_dir2_data.c b/libxfs/xfs_dir2_data.c index 0ef517782..1f46115f4 100644 --- a/libxfs/xfs_dir2_data.c +++ b/libxfs/xfs_dir2_data.c @@ -70,6 +70,14 @@ __xfs_dir3_data_check( */ ops = xfs_dir_get_ops(mp, dp); + /* + * If this isn't a directory, or we don't get handed the dir ops, + * something is seriously wrong. Bail out. + */ + if ((dp && !S_ISDIR(VFS_I(dp)->i_mode)) || + ops != xfs_dir_get_ops(mp, NULL)) + return __this_address; + hdr = bp->b_addr; p = (char *)ops->data_entry_p(hdr);