diff options
| author | Gao Xiang <gaoxiang25@huawei.com> | 2019-03-11 09:08:58 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-03-14 00:02:40 +0300 |
| commit | e5d7b94cc435f0532d26a45166cc85e8ee15f314 (patch) | |
| tree | de5e1a1d1f04c27353bcfe83ec4417282b411e1a /scripts/gcc-plugins/cyc_complexity_plugin.c | |
| parent | 28b8f234edaf8eb7402bda6d2f9e6a51c9e86874 (diff) | |
| download | linux-e5d7b94cc435f0532d26a45166cc85e8ee15f314.tar.xz | |
staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()
commit 419d6efc50e94bcf5d6b35cd8c71f79edadec564 upstream.
As Al pointed out, "
... and while we are at it, what happens to
unsigned int nameoff = le16_to_cpu(de[mid].nameoff);
unsigned int matched = min(startprfx, endprfx);
struct qstr dname = QSTR_INIT(data + nameoff,
unlikely(mid >= ndirents - 1) ?
maxsize - nameoff :
le16_to_cpu(de[mid + 1].nameoff) - nameoff);
/* string comparison without already matched prefix */
int ret = dirnamecmp(name, &dname, &matched);
if le16_to_cpu(de[...].nameoff) is not monotonically increasing? I.e.
what's to prevent e.g. (unsigned)-1 ending up in dname.len?
Corrupted fs image shouldn't oops the kernel.. "
Revisit the related lookup flow to address the issue.
Fixes: d72d1ce60174 ("staging: erofs: add namei functions")
Cc: <stable@vger.kernel.org> # 4.19+
Suggested-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'scripts/gcc-plugins/cyc_complexity_plugin.c')
0 files changed, 0 insertions, 0 deletions