From c29a562f83eda8d17789ee9936fa7328ae5d1c63 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Mon, 28 Sep 2020 17:35:37 -0400 Subject: [PATCH] xfs_repair: fix error in process_sf_dir2_fixi8 The goal of process_sf_dir2_fixi8 is to convert an i8 shortform directory into a (shorter) i4 shortform directory. It achieves this by duplicating the old sf directory contents (as oldsfp), zeroing i8count in the caller's directory buffer (i.e. newsfp/sfp), and reinitializing the new directory with the old directory's entries. Unfortunately, it copies the parent pointer from sfp (the buffer we've already started changing), not oldsfp. This leads to directory corruption since at that point we zeroed i8count, which means that we save only the upper four bytes from the parent pointer entry. This was found by fuzzing u3.sfdir3.hdr.i8count = ones in xfs/384. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Eric Sandeen --- repair/dir2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/repair/dir2.c b/repair/dir2.c index 95e8c2009..eabdb4f2d 100644 --- a/repair/dir2.c +++ b/repair/dir2.c @@ -84,7 +84,7 @@ process_sf_dir2_fixi8( memmove(oldsfp, newsfp, oldsize); newsfp->count = oldsfp->count; newsfp->i8count = 0; - ino = libxfs_dir2_sf_get_parent_ino(sfp); + ino = libxfs_dir2_sf_get_parent_ino(oldsfp); libxfs_dir2_sf_put_parent_ino(newsfp, ino); oldsfep = xfs_dir2_sf_firstentry(oldsfp); newsfep = xfs_dir2_sf_firstentry(newsfp); -- 2.47.2