Dave Chinner 837514f7a4 xfs: fix overflow in xfs_attr3_leaf_verify ... generic/070 on 64k block size filesystems is failing with a verifier corruption on writeback or an attribute leaf block: [ 94.973083] XFS (pmem0): Metadata corruption detected at xfs_attr3_leaf_verify+0x246/0x260, xfs_attr3_leaf block 0x811480 [ 94.975623] XFS (pmem0): Unmount and run xfs_repair [ 94.976720] XFS (pmem0): First 128 bytes of corrupted metadata buffer: [ 94.978270] 000000004b2e7b45: 00 00 00 00 00 00 00 00 3b ee 00 00 00 00 00 00 ........;....... [ 94.980268] 000000006b1db90b: 00 00 00 00 00 81 14 80 00 00 00 00 00 00 00 00 ................ [ 94.982251] 00000000433f2407: 22 7b 5c 82 2d 5c 47 4c bb 31 1c 37 fa a9 ce d6 "{\.-\GL.1.7.... [ 94.984157] 0000000010dc7dfb: 00 00 00 00 00 81 04 8a 00 0a 18 e8 dd 94 01 00 ................ [ 94.986215] 00000000d5a19229: 00 a0 dc f4 fe 98 01 68 f0 d8 07 e0 00 00 00 00 .......h........ [ 94.988171] 00000000521df36c: 0c 2d 32 e2 fe 20 01 00 0c 2d 58 65 fe 0c 01 00 .-2.. ...-Xe.... [ 94.990162] 000000008477ae06: 0c 2d 5b 66 fe 8c 01 00 0c 2d 71 35 fe 7c 01 00 .-[f.....-q5.|.. [ 94.992139] 00000000a4a6bca6: 0c 2d 72 37 fc d4 01 00 0c 2d d8 b8 f0 90 01 00 .-r7.....-...... [ 94.994789] XFS (pmem0): xfs_do_force_shutdown(0x8) called from line 1453 of file fs/xfs/xfs_buf.c. Return address = ffffffff815365f3 This is failing this check: end = ichdr.freemap[i].base + ichdr.freemap[i].size; if (end < ichdr.freemap[i].base) >>>>> return __this_address; if (end > mp->m_attr_geo->blksize) return __this_address; And from the buffer output above, the freemap array is: freemap[0].base = 0x00a0 freemap[0].size = 0xdcf4 end = 0xdd94 freemap[1].base = 0xfe98 freemap[1].size = 0x0168 end = 0x10000 freemap[2].base = 0xf0d8 freemap[2].size = 0x07e0 end = 0xf8b8 These all look valid - the block size is 0x10000 and so from the last check in the above verifier fragment we know that the end of freemap[1] is valid. The problem is that end is declared as: uint16_t end; And (uint16_t)0x10000 = 0. So we have a verifier bug here, not a corruption. Fix the verifier to use uint32_t types for the check and hence avoid the overflow. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=201577 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>		2018-11-06 07:50:50 -08:00
..
9p	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
adfs	adfs: use timespec64 for time conversion	2018-08-22 10:52:51 -07:00
affs
afs	afs: Probe multiple fileservers simultaneously	2018-10-24 00:41:09 +01:00
autofs	Merge branch 'akpm' (patches from Andrew)	2018-08-22 12:34:08 -07:00
befs
bfs	bfs: add sanity check at bfs_fill_super()	2018-11-03 10:09:38 -07:00
btrfs	vfs: rework data cloning infrastructure	2018-11-02 09:33:08 -07:00
cachefiles	cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)	2018-10-18 11:32:21 +02:00
ceph	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
cifs	cifs: fix signed/unsigned mismatch on aio_read patch	2018-11-02 14:09:42 -05:00
coda
configfs
cramfs	Make the Cramfs code more robust against filesystem corruptions,	2018-10-30 12:46:25 -07:00
crypto	crypto: speck - remove Speck	2018-09-04 11:35:03 +08:00
debugfs
devpts	devpts: Convert to new IDA API	2018-08-21 23:54:17 -04:00
dlm	iov_iter: Separate type from direction and use accessor functions	2018-10-24 00:41:07 +01:00
ecryptfs	ecryptfs_rename(): verify that lower dentries are still OK after lock_rename()	2018-10-09 23:33:17 -04:00
efivarfs
efs
exofs	fs/exofs: only use true/false for asignment of bool type variable	2018-10-18 02:04:59 -04:00
exportfs
ext2	\n	2018-10-29 10:23:36 -07:00
ext4	for-linus-20181102	2018-11-02 11:25:48 -07:00
f2fs	Merge branch 'xarray' of git://git.infradead.org/users/willy/linux-dax	2018-10-28 11:35:40 -07:00
fat	fat: truncate inode timestamp updates in setattr	2018-10-31 08:54:14 -07:00
freevxfs
fscache	fscache: Fix out of bound read in long cookie keys	2018-10-18 11:32:21 +02:00
fuse	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
gfs2	Merge branch 'xarray' of git://git.infradead.org/users/willy/linux-dax	2018-10-28 11:35:40 -07:00
hfs	fs/hfs/extent.c: fix array out of bounds read of array extent	2018-10-31 08:54:13 -07:00
hfsplus	hfsplus: update timestamps on truncate()	2018-10-31 08:54:13 -07:00
hostfs	vfs: discard ATTR_ATTR_FLAG	2018-08-17 16:20:28 -07:00
hpfs	hpfs: remove unnecessary checks on the value of r when assigning error code	2018-08-25 12:42:33 -07:00
hugetlbfs	mm: zero out the vma in vma_init()	2018-08-22 10:52:44 -07:00
isofs	Update email address	2018-09-29 22:47:48 -04:00
jbd2	jbd2: fix use after free in jbd2_log_do_checkpoint()	2018-10-05 18:44:40 -04:00
jffs2	Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2018-10-24 11:22:39 +01:00
jfs	jfs: remove redundant dquot_initialize() in jfs_evict_inode()	2018-09-20 09:28:49 -05:00
kernfs	mm: zero-seek shrinkers	2018-10-26 16:26:33 -07:00
lockd	lockd: fix access beyond unterminated strings in prints	2018-10-29 16:58:04 -04:00
minix
nfs	NFS client bugfixes for Linux 4.20	2018-11-04 08:20:09 -08:00
nfs_common
nfsd	vfs: rework data cloning infrastructure	2018-11-02 09:33:08 -07:00
nilfs2	nilfs2: Convert to XArray	2018-10-21 10:46:42 -04:00
nls
notify	fsnotify: Fix busy inodes during unmount	2018-10-25 15:49:19 +02:00
ntfs	ntfs: don't open-code ERR_CAST	2018-10-12 22:46:50 -04:00
ocfs2	ocfs2: fix clusters leak in ocfs2_defrag_extent()	2018-11-03 10:09:37 -07:00
omfs
openpromfs
orangefs	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
overlayfs	vfs: rework data cloning infrastructure	2018-11-02 09:33:08 -07:00
proc	New gcc plugin: stackleak	2018-11-01 11:46:27 -07:00
pstore	mm: remove CONFIG_HAVE_MEMBLOCK	2018-10-31 08:54:15 -07:00
qnx4
qnx6
quota	fs/quota: Fix spectre gadget in do_quotactl	2018-08-22 18:17:48 +02:00
ramfs
reiserfs	reiserfs: remove workaround code for GCC 3.x	2018-10-31 08:54:14 -07:00
romfs
squashfs
sysfs	Driver core patches for 4.19-rc1	2018-08-18 11:44:53 -07:00
sysv	fs/sysv/inode.c: use ktime_get_real_seconds() for superblock stamp	2018-08-22 10:52:51 -07:00
tracefs
ubifs	ubifs: Remove unneeded semicolon	2018-10-23 13:49:02 +02:00
udf	udf: Drop pack pragma from udf_sb.h	2018-09-07 10:32:23 +02:00
ufs	fs/ufs: use ktime_get_real_seconds for sb and cg timestamps	2018-08-17 16:20:27 -07:00
xfs	xfs: fix overflow in xfs_attr3_leaf_verify	2018-11-06 07:50:50 -08:00
aio.c	y2038: globally rename compat_time to old_time32	2018-08-27 14:48:48 +02:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c	signal: Distinguish between kernel_siginfo and siginfo	2018-10-03 16:47:43 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c	iov_iter: Use accessor function	2018-10-24 00:40:44 +01:00
buffer.c	for-linus-20181102	2018-11-02 11:25:48 -07:00
char_dev.c
compat.c
compat_binfmt_elf.c	y2038: globally rename compat_time to old_time32	2018-08-27 14:48:48 +02:00
compat_ioctl.c	media updates for v4.20-rc1	2018-10-29 14:29:58 -07:00
coredump.c	signal: Distinguish between kernel_siginfo and siginfo	2018-10-03 16:47:43 +02:00
d_path.c
dax.c	dax: Convert page fault handlers to XArray	2018-10-21 10:46:44 -04:00
dcache.c	mm: remove include/linux/bootmem.h	2018-10-31 08:54:16 -07:00
dcookies.c
direct-io.c	iov_iter: Use accessor function	2018-10-24 00:40:44 +01:00
drop_caches.c
eventfd.c
eventpoll.c	fs/eventpoll.c: simplify ep_is_linked() callers	2018-08-22 10:52:49 -07:00
exec.c	vfs: require i_size <= SIZE_MAX in kernel_read_file()	2018-10-10 12:56:14 -04:00
fcntl.c	signal: Distinguish between kernel_siginfo and siginfo	2018-10-03 16:47:43 +02:00
fhandle.c
file.c
file_table.c	overlayfs update for 4.19	2018-08-21 18:19:09 -07:00
filesystems.c
fs-writeback.c	fs: Convert writeback to XArray	2018-10-21 10:46:42 -04:00
fs_pin.c
fs_struct.c
inode.c	mm: remove include/linux/bootmem.h	2018-10-31 08:54:16 -07:00
internal.h	overlayfs update for 4.19	2018-08-21 18:19:09 -07:00
ioctl.c	vfs: rework data cloning infrastructure	2018-11-02 09:33:08 -07:00
iomap.c	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 20:19:49 -07:00
Kconfig
Kconfig.binfmt
libfs.c
locks.c	overlayfs update for 4.19	2018-08-21 18:19:09 -07:00
Makefile
mbcache.c
mount.h
mpage.c	mpage: mpage_readpages() should submit IO as read-ahead	2018-08-17 16:20:29 -07:00
namei.c	namei: allow restricted O_CREAT of FIFOs and regular files	2018-08-23 18:48:43 -07:00
namespace.c	mm: remove include/linux/bootmem.h	2018-10-31 08:54:16 -07:00
no-block.c
nsfs.c
open.c	overlayfs update for 4.19	2018-08-21 18:19:09 -07:00
pipe.c	Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-08-13 19:58:36 -07:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c	vfs: rework data cloning infrastructure	2018-11-02 09:33:08 -07:00
readdir.c
select.c	y2038: globally rename compat_time to old_time32	2018-08-27 14:48:48 +02:00
seq_file.c	fs/seq_file.c: simplify seq_file iteration code and interface	2018-08-17 16:20:28 -07:00
signalfd.c	signal: Distinguish between kernel_siginfo and siginfo	2018-10-03 16:47:43 +02:00
splice.c	iov_iter: Separate type from direction and use accessor functions	2018-10-24 00:41:07 +01:00
stack.c
stat.c	y2038: Remove newstat family from default syscall set	2018-08-29 15:42:20 +02:00
statfs.c
super.c	fsnotify: add super block object type	2018-09-03 15:14:01 +02:00
sync.c
timerfd.c	y2038: globally rename compat_time to old_time32	2018-08-27 14:48:48 +02:00
userfaultfd.c	userfaultfd: disable irqs when taking the waitqueue lock	2018-10-26 16:25:18 -07:00
utimes.c	y2038: utimes: Rework #ifdef guards for compat syscalls	2018-08-29 15:42:23 +02:00
xattr.c	sysfs: Do not return POSIX ACL xattrs via listxattr	2018-09-18 07:30:48 -04:00