From: Darrick J. Wong Date: Wed, 23 May 2018 21:30:48 +0000 (-0500) Subject: xfs_repair: don't crash if da btree is corrupt X-Git-Tag: v4.17.0-rc1~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cc93dda3f8fcbfa82ca3cdf0283f894487f1d6d;p=thirdparty%2Fxfsprogs-dev.git xfs_repair: don't crash if da btree is corrupt In the recursive verify_da_path call chain, we decide to examine the next upper level if the current entry points past the end of the entries. However, we don't check for a node with zero entries (which should be impossible) so we run right off the end of the da cursor's level array and crash. Found by fuzzing hdr.count in xfs/402. Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen Signed-off-by: Eric Sandeen --- diff --git a/repair/da_util.c b/repair/da_util.c index a65652fa9..bca4060d1 100644 --- a/repair/da_util.c +++ b/repair/da_util.c @@ -526,6 +526,10 @@ verify_da_path( else geo = mp->m_attr_geo; + /* No buffer at this level, tree is corrupt. */ + if (cursor->level[this_level].bp == NULL) + return 1; + /* * index is currently set to point to the entry that * should be processed now in this level. @@ -535,6 +539,10 @@ verify_da_path( btree = M_DIROPS(mp)->node_tree_p(node); M_DIROPS(mp)->node_hdr_from_disk(&nodehdr, node); + /* No entries in this node? Tree is corrupt. */ + if (nodehdr.count == 0) + return 1; + /* * if this block is out of entries, validate this * block and move on to the next block.