hfs: handle more on-disk corruptions without oopsing

hfs seems prone to bad things when it encounters on disk corruption.  Many
values are read from disk, and used as lengths to memcpy, as an example.
This patch fixes up several of these problematic cases.

o sanity check the on-disk maximum key lengths on mount
  (these are set to a defined value at mkfs time and shouldn't differ)
o check on-disk node keylens against the maximum key length for each tree
o fix hfs_btree_open so that going out via free_tree: doesn't wind
  up in hfs_releasepage, which wants to follow the very pointer
  we were trying to set up:
	HFS_SB(sb)->cat_tree = hfs_btree_open()
		...
		failure gets to hfs_releasepage and tries
		to follow HFS_SB(sb)->cat_tree

Tested with the fsfuzzer; it survives more than it used to.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
index f13f1494d4fe8099ca8779c8aaf0771ca1ec95c9..f8452a0eab562085ddd50e3f3e52352bebcc4cb2 100644 (file)
--- a/fs/hfs/bfind.c
+++ b/fs/hfs/bfind.c
@@ -52,6 +52,10 @@ int __hfs_brec_find(struct hfs_bnode *bnode, struct hfs_find_data *fd)
                rec = (e + b) / 2;
                len = hfs_brec_lenoff(bnode, rec, &off);
                keylen = hfs_brec_keylen(bnode, rec);
+               if (keylen == HFS_BAD_KEYLEN) {
+                       res = -EINVAL;
+                       goto done;
+               }
                hfs_bnode_read(bnode, fd->key, off, keylen);
                cmpval = bnode->tree->keycmp(fd->key, fd->search_key);
                if (!cmpval) {
@@ -67,6 +71,10 @@ int __hfs_brec_find(struct hfs_bnode *bnode, struct hfs_find_data *fd)
        if (rec != e && e >= 0) {
                len = hfs_brec_lenoff(bnode, e, &off);
                keylen = hfs_brec_keylen(bnode, e);
+               if (keylen == HFS_BAD_KEYLEN) {
+                       res = -EINVAL;
+                       goto done;
+               }
                hfs_bnode_read(bnode, fd->key, off, keylen);
        }
 done:
@@ -198,6 +206,10 @@ int hfs_brec_goto(struct hfs_find_data *fd, int cnt)
 
        len = hfs_brec_lenoff(bnode, fd->record, &off);
        keylen = hfs_brec_keylen(bnode, fd->record);
+       if (keylen == HFS_BAD_KEYLEN) {
+               res = -EINVAL;
+               goto out;
+       }
        fd->keyoffset = off;
        fd->keylength = keylen;
        fd->entryoffset = off + keylen;

diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
index 5c87cf4801fcb00f05311d2883c9977dbfa5ef2f..8626ee375ea811d3a4e794a5f72a05d96b09bea0 100644 (file)
--- a/fs/hfs/brec.c
+++ b/fs/hfs/brec.c
@@ -44,10 +44,21 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
                recoff = hfs_bnode_read_u16(node, node->tree->node_size - (rec + 1) * 2);
                if (!recoff)
                        return 0;
-               if (node->tree->attributes & HFS_TREE_BIGKEYS)
+               if (node->tree->attributes & HFS_TREE_BIGKEYS) {
                        retval = hfs_bnode_read_u16(node, recoff) + 2;
-               else
+                       if (retval > node->tree->max_key_len + 2) {
+                               printk(KERN_ERR "hfs: keylen %d too large\n",
+                                       retval);
+                               retval = HFS_BAD_KEYLEN;
+                       }
+               } else {
                        retval = (hfs_bnode_read_u8(node, recoff) | 1) + 1;
+                       if (retval > node->tree->max_key_len + 1) {
+                               printk(KERN_ERR "hfs: keylen %d too large\n",
+                                       retval);
+                               retval = HFS_BAD_KEYLEN;
+                       }
+               }
        }
        return retval;
 }

diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
index 8a3a650abc87a9ed4520318a811fb76619933a7e..31284c77bba87b8a393d5cc78789cd13f2e02b31 100644 (file)
--- a/fs/hfs/btree.c
+++ b/fs/hfs/btree.c
@@ -81,6 +81,17 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
                goto fail_page;
        if (!tree->node_count)
                goto fail_page;
+       if ((id == HFS_EXT_CNID) && (tree->max_key_len != HFS_MAX_EXT_KEYLEN)) {
+               printk(KERN_ERR "hfs: invalid extent max_key_len %d\n",
+                       tree->max_key_len);
+               goto fail_page;
+       }
+       if ((id == HFS_CAT_CNID) && (tree->max_key_len != HFS_MAX_CAT_KEYLEN)) {
+               printk(KERN_ERR "hfs: invalid catalog max_key_len %d\n",
+                       tree->max_key_len);
+               goto fail_page;
+       }
+
        tree->node_size_shift = ffs(size) - 1;
        tree->pages_per_bnode = (tree->node_size + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
 
@@ -89,9 +100,9 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
        return tree;
 
  fail_page:
-       tree->inode->i_mapping->a_ops = &hfs_aops;
        page_cache_release(page);
  free_tree:
+       tree->inode->i_mapping->a_ops = &hfs_aops;
        iput(tree->inode);
        kfree(tree);
        return NULL;

diff --git a/fs/hfs/hfs.h b/fs/hfs/hfs.h
index 1445e3a56ed45695428a1633a344c2f5f6462d1b..c6aae61adfe6f098f9c0fc260b1090b1331d29d9 100644 (file)
--- a/fs/hfs/hfs.h
+++ b/fs/hfs/hfs.h
@@ -28,6 +28,8 @@
 #define HFS_MAX_NAMELEN                128
 #define HFS_MAX_VALENCE                32767U
 
+#define HFS_BAD_KEYLEN         0xFF
+
 /* Meanings of the drAtrb field of the MDB,
  * Reference: _Inside Macintosh: Files_ p. 2-61
  */
@@ -167,6 +169,9 @@ typedef union hfs_btree_key {
        struct hfs_ext_key ext;
 } hfs_btree_key;
 
+#define HFS_MAX_CAT_KEYLEN     (sizeof(struct hfs_cat_key) - sizeof(u8))
+#define HFS_MAX_EXT_KEYLEN     (sizeof(struct hfs_ext_key) - sizeof(u8))
+
 typedef union hfs_btree_key btree_key;
 
 struct hfs_extent {