From: Darrick J. Wong <darrick.wong@oracle.com>
Date: Tue, 27 Feb 2018 04:43:18 +0000 (-0600)
Subject: xfs: btree format ifork loader should check for zero numrecs
X-Git-Tag: v4.16.0-rc1~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4b963e9ae98a1c7522e97eec7015d33f7eb8ab4;p=thirdparty%2Fxfsprogs-dev.git

xfs: btree format ifork loader should check for zero numrecs

Source kernel commit: 55e45429ce3e4ac9dd2bf4937b1a499a69ccc4ca

A btree format inode fork with zero records makes no sense, so reject it
if we see it, or else we can miscalculate memory allocations.  Found by
zeroes fuzzing {a,u3}.bmbt.numrecs in xfs/{374,378,412} with KASAN.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---

diff --git a/libxfs/xfs_inode_fork.c b/libxfs/xfs_inode_fork.c
index 750d339e7..d75db5bdb 100644
--- a/libxfs/xfs_inode_fork.c
+++ b/libxfs/xfs_inode_fork.c
@@ -295,6 +295,7 @@ xfs_iformat_btree(
 	 */
 	if (unlikely(XFS_IFORK_NEXTENTS(ip, whichfork) <=
 					XFS_IFORK_MAXEXT(ip, whichfork) ||
+		     nrecs == 0 ||
 		     XFS_BMDR_SPACE_CALC(nrecs) >
 					XFS_DFORK_SIZE(dip, mp, whichfork) ||
 		     XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) ||