diff options
author | Gao Xiang <gaoxiang25@huawei.com> | 2019-01-29 23:55:40 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-30 15:31:25 +0100 |
commit | d4104c5e783f5d053b97268fb92001d785de7dd5 (patch) | |
tree | a61a12cb8bd9f399c677c1d3d47350ee6d75d438 /lib/rbtree.c | |
parent | 49230b49c4398765feba809ac27ae09562cbead1 (diff) | |
download | talos-op-linux-d4104c5e783f5d053b97268fb92001d785de7dd5.tar.gz talos-op-linux-d4104c5e783f5d053b97268fb92001d785de7dd5.zip |
staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()
As Al pointed out, "
... and while we are at it, what happens to
unsigned int nameoff = le16_to_cpu(de[mid].nameoff);
unsigned int matched = min(startprfx, endprfx);
struct qstr dname = QSTR_INIT(data + nameoff,
unlikely(mid >= ndirents - 1) ?
maxsize - nameoff :
le16_to_cpu(de[mid + 1].nameoff) - nameoff);
/* string comparison without already matched prefix */
int ret = dirnamecmp(name, &dname, &matched);
if le16_to_cpu(de[...].nameoff) is not monotonically increasing? I.e.
what's to prevent e.g. (unsigned)-1 ending up in dname.len?
Corrupted fs image shouldn't oops the kernel.. "
Revisit the related lookup flow to address the issue.
Fixes: d72d1ce60174 ("staging: erofs: add namei functions")
Cc: <stable@vger.kernel.org> # 4.19+
Suggested-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/rbtree.c')
0 files changed, 0 insertions, 0 deletions