diff options
| author | Darrick J. Wong <darrick.wong@oracle.com> | 2015-05-16 20:50:21 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2015-05-16 20:50:21 -0400 |
| commit | 04c66cb25f36d31c6f33196c9a7a8d206012cbba (patch) | |
| tree | cc8001ff634a5102a9df0dfacaa7719d618d91ae /e2fsck/revoke.c | |
| parent | f008143cf5bfb93b5f5a0cb7018091b6f38301f8 (diff) | |
| download | e2fsprogs-04c66cb25f36d31c6f33196c9a7a8d206012cbba.tar.gz | |
e2fsck: fix buffer overrun in revoke block scanning
Check the value of r_count to ensure that we never try to read revoke
records past the end of the revoke block. It turns out that the
journal writing code in debugfs was also playing fast and loose with
the r_count, so fix that as well.
The Coverity bug was 1297508.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'e2fsck/revoke.c')
| -rw-r--r-- | e2fsck/revoke.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/e2fsck/revoke.c b/e2fsck/revoke.c index b4c3f5f4..05430997 100644 --- a/e2fsck/revoke.c +++ b/e2fsck/revoke.c @@ -583,7 +583,7 @@ static void write_one_revoke_record(journal_t *journal, { int csum_size = 0; struct buffer_head *descriptor; - int offset; + int sz, offset; journal_header_t *header; /* If we are already aborting, this all becomes a noop. We @@ -600,9 +600,14 @@ static void write_one_revoke_record(journal_t *journal, if (journal_has_csum_v2or3(journal)) csum_size = sizeof(struct journal_revoke_tail); + if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT)) + sz = 8; + else + sz = 4; + /* Make sure we have a descriptor with space left for the record */ if (descriptor) { - if (offset >= journal->j_blocksize - csum_size) { + if (offset + sz > journal->j_blocksize - csum_size) { flush_descriptor(journal, descriptor, offset, write_op); descriptor = NULL; } @@ -625,16 +630,13 @@ static void write_one_revoke_record(journal_t *journal, *descriptorp = descriptor; } - if (JFS_HAS_INCOMPAT_FEATURE(journal, JFS_FEATURE_INCOMPAT_64BIT)) { - * ((__u64 *)(&descriptor->b_data[offset])) = - ext2fs_cpu_to_be64(record->blocknr); - offset += 8; - - } else { - * ((__u32 *)(&descriptor->b_data[offset])) = - ext2fs_cpu_to_be32(record->blocknr); - offset += 4; - } + if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_64BIT)) { + * ((__be64 *)(&descriptor->b_data[offset])) = + cpu_to_be64(record->blocknr); + else + * ((__be32 *)(&descriptor->b_data[offset])) = + cpu_to_be32(record->blocknr); + offset += sz; *offsetp = offset; } |