1 ext2: Avoid printk floods in the face of directory corruption
3 Note: some people thinks this represents a security bug, since it
4 might make the system go away while it is printing a large number of
5 console messages, especially if a serial console is involved. Hence,
6 it has been assigned CVE-2008-3528, but it requires that the attacker
7 either has physical access to your machine to insert a USB disk with a
8 corrupted filesystem image (at which point why not just hit the power
9 button), or is otherwise able to convince the system administrator to
10 mount an arbitrary filesystem image (at which point why not just
11 include a setuid shell or world-writable hard disk device file or some
12 such). Me, I think they're just being silly.
14 Signed-off-by: Eric Sandeen <sandeen@redhat.com>
15 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
16 Cc: linux-ext4@vger.kernel.org
17 Cc: Eugene Teo <eugeneteo@kernel.sg>
19 Index: linux-2.6.26.x86_64/fs/ext2/dir.c
20 ===================================================================
21 --- linux-2.6.26.x86_64.orig/fs/ext2/dir.c
22 +++ linux-2.6.26.x86_64/fs/ext2/dir.c
23 @@ -103,7 +103,7 @@ static int ext2_commit_chunk(struct page
27 -static void ext2_check_page(struct page *page)
28 +static void ext2_check_page(struct page *page, int quiet)
30 struct inode *dir = page->mapping->host;
31 struct super_block *sb = dir->i_sb;
32 @@ -146,10 +146,10 @@ out:
33 /* Too bad, we had an error */
36 - ext2_error(sb, "ext2_check_page",
37 - "size of directory #%lu is not a multiple of chunk size",
41 + ext2_error(sb, __func__,
42 + "size of directory #%lu is not a multiple "
43 + "of chunk size", dir->i_ino);
46 error = "rec_len is smaller than minimal";
47 @@ -166,32 +166,36 @@ Espan:
49 error = "inode out of bounds";
51 - ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - "
52 - "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
53 - dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
54 - (unsigned long) le32_to_cpu(p->inode),
55 - rec_len, p->name_len);
57 + ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - "
58 + "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
59 + dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
60 + (unsigned long) le32_to_cpu(p->inode),
61 + rec_len, p->name_len);
64 - p = (ext2_dirent *)(kaddr + offs);
65 - ext2_error (sb, "ext2_check_page",
66 - "entry in directory #%lu spans the page boundary"
67 - "offset=%lu, inode=%lu",
68 - dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
69 - (unsigned long) le32_to_cpu(p->inode));
71 + p = (ext2_dirent *)(kaddr + offs);
72 + ext2_error (sb, "ext2_check_page",
73 + "entry in directory #%lu spans the page boundary"
74 + "offset=%lu, inode=%lu",
75 + dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
76 + (unsigned long) le32_to_cpu(p->inode));
83 -static struct page * ext2_get_page(struct inode *dir, unsigned long n)
84 +static struct page * ext2_get_page(struct inode *dir, unsigned long n,
87 struct address_space *mapping = dir->i_mapping;
88 struct page *page = read_mapping_page(mapping, n, NULL);
91 if (!PageChecked(page))
92 - ext2_check_page(page);
93 + ext2_check_page(page, quiet);
97 @@ -292,7 +296,7 @@ ext2_readdir (struct file * filp, void *
98 for ( ; n < npages; n++, offset = 0) {
101 - struct page *page = ext2_get_page(inode, n);
102 + struct page *page = ext2_get_page(inode, n, 0);
105 ext2_error(sb, __func__,
106 @@ -361,6 +365,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
107 struct page *page = NULL;
108 struct ext2_inode_info *ei = EXT2_I(dir);
110 + int dir_has_error = 0;
114 @@ -374,7 +379,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
118 - page = ext2_get_page(dir, n);
119 + page = ext2_get_page(dir, n, dir_has_error);
121 kaddr = page_address(page);
122 de = (ext2_dirent *) kaddr;
123 @@ -391,7 +396,9 @@ struct ext2_dir_entry_2 * ext2_find_entr
124 de = ext2_next_entry(de);
133 /* next page is past the blocks we've got */
134 @@ -414,7 +421,7 @@ found:
136 struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p)
138 - struct page *page = ext2_get_page(dir, 0);
139 + struct page *page = ext2_get_page(dir, 0, 0);
140 ext2_dirent *de = NULL;
143 @@ -487,7 +494,7 @@ int ext2_add_link (struct dentry *dentry
144 for (n = 0; n <= npages; n++) {
147 - page = ext2_get_page(dir, n);
148 + page = ext2_get_page(dir, n, 0);
152 @@ -655,14 +662,17 @@ int ext2_empty_dir (struct inode * inode
154 struct page *page = NULL;
155 unsigned long i, npages = dir_pages(inode);
156 + int dir_has_error = 0;
158 for (i = 0; i < npages; i++) {
161 - page = ext2_get_page(inode, i);
162 + page = ext2_get_page(inode, i, dir_has_error);
165 + if (IS_ERR(page)) {
170 kaddr = page_address(page);
171 de = (ext2_dirent *)kaddr;