| blob | 40a0c5d597a4893a006df496339d8c1c233f0029 |
1 ext2: Avoid printk floods in the face of directory corruption
3 Note: some people thinks this represents a security bug, since it
4 might make the system go away while it is printing a large number of
5 console messages, especially if a serial console is involved. Hence,
6 it has been assigned CVE-2008-3528, but it requires that the attacker
7 either has physical access to your machine to insert a USB disk with a
8 corrupted filesystem image (at which point why not just hit the power
9 button), or is otherwise able to convince the system administrator to
10 mount an arbitrary filesystem image (at which point why not just
11 include a setuid shell or world-writable hard disk device file or some
12 such). Me, I think they're just being silly.
14 Signed-off-by: Eric Sandeen <sandeen@redhat.com>
15 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
16 Cc: linux-ext4@vger.kernel.org
17 Cc: Eugene Teo <eugeneteo@kernel.sg>
18 ---
19 Index: linux-2.6.26.x86_64/fs/ext2/dir.c
20 ===================================================================
21 --- linux-2.6.26.x86_64.orig/fs/ext2/dir.c
22 +++ linux-2.6.26.x86_64/fs/ext2/dir.c
23 @@ -103,7 +103,7 @@ static int ext2_commit_chunk(struct page
24 return err;
25 }
27 -static void ext2_check_page(struct page *page)
28 +static void ext2_check_page(struct page *page, int quiet)
29 {
30 struct inode *dir = page->mapping->host;
31 struct super_block *sb = dir->i_sb;
32 @@ -146,10 +146,10 @@ out:
33 /* Too bad, we had an error */
35 Ebadsize:
36 - ext2_error(sb, "ext2_check_page",
37 - "size of directory #%lu is not a multiple of chunk size",
38 - dir->i_ino
39 - );
40 + if (!quiet)
41 + ext2_error(sb, __func__,
42 + "size of directory #%lu is not a multiple "
43 + "of chunk size", dir->i_ino);
44 goto fail;
45 Eshort:
46 error = "rec_len is smaller than minimal";
47 @@ -166,32 +166,36 @@ Espan:
48 Einumber:
49 error = "inode out of bounds";
50 bad_entry:
51 - ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - "
52 - "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
53 - dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
54 - (unsigned long) le32_to_cpu(p->inode),
55 - rec_len, p->name_len);
56 + if (!quiet)
57 + ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - "
58 + "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
59 + dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
60 + (unsigned long) le32_to_cpu(p->inode),
61 + rec_len, p->name_len);
62 goto fail;
63 Eend:
64 - p = (ext2_dirent *)(kaddr + offs);
65 - ext2_error (sb, "ext2_check_page",
66 - "entry in directory #%lu spans the page boundary"
67 - "offset=%lu, inode=%lu",
68 - dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
69 - (unsigned long) le32_to_cpu(p->inode));
70 + if (!quiet) {
71 + p = (ext2_dirent *)(kaddr + offs);
72 + ext2_error (sb, "ext2_check_page",
73 + "entry in directory #%lu spans the page boundary"
74 + "offset=%lu, inode=%lu",
75 + dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
76 + (unsigned long) le32_to_cpu(p->inode));
77 + }
78 fail:
79 SetPageChecked(page);
80 SetPageError(page);
81 }
83 -static struct page * ext2_get_page(struct inode *dir, unsigned long n)
84 +static struct page * ext2_get_page(struct inode *dir, unsigned long n,
85 + int quiet)
86 {
87 struct address_space *mapping = dir->i_mapping;
88 struct page *page = read_mapping_page(mapping, n, NULL);
89 if (!IS_ERR(page)) {
90 kmap(page);
91 if (!PageChecked(page))
92 - ext2_check_page(page);
93 + ext2_check_page(page, quiet);
94 if (PageError(page))
95 goto fail;
96 }
97 @@ -292,7 +296,7 @@ ext2_readdir (struct file * filp, void *
98 for ( ; n < npages; n++, offset = 0) {
99 char *kaddr, *limit;
100 ext2_dirent *de;
101 - struct page *page = ext2_get_page(inode, n);
102 + struct page *page = ext2_get_page(inode, n, 0);
104 if (IS_ERR(page)) {
105 ext2_error(sb, __func__,
106 @@ -361,6 +365,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
107 struct page *page = NULL;
108 struct ext2_inode_info *ei = EXT2_I(dir);
109 ext2_dirent * de;
110 + int dir_has_error = 0;
112 if (npages == 0)
113 goto out;
114 @@ -374,7 +379,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
115 n = start;
116 do {
117 char *kaddr;
118 - page = ext2_get_page(dir, n);
119 + page = ext2_get_page(dir, n, dir_has_error);
120 if (!IS_ERR(page)) {
121 kaddr = page_address(page);
122 de = (ext2_dirent *) kaddr;
123 @@ -391,7 +396,9 @@ struct ext2_dir_entry_2 * ext2_find_entr
124 de = ext2_next_entry(de);
125 }
126 ext2_put_page(page);
127 - }
128 + } else
129 + dir_has_error = 1;
130 +
131 if (++n >= npages)
132 n = 0;
133 /* next page is past the blocks we've got */
134 @@ -414,7 +421,7 @@ found:
136 struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p)
137 {
138 - struct page *page = ext2_get_page(dir, 0);
139 + struct page *page = ext2_get_page(dir, 0, 0);
140 ext2_dirent *de = NULL;
142 if (!IS_ERR(page)) {
143 @@ -487,7 +494,7 @@ int ext2_add_link (struct dentry *dentry
144 for (n = 0; n <= npages; n++) {
145 char *dir_end;
147 - page = ext2_get_page(dir, n);
148 + page = ext2_get_page(dir, n, 0);
149 err = PTR_ERR(page);
150 if (IS_ERR(page))
151 goto out;
152 @@ -655,14 +662,17 @@ int ext2_empty_dir (struct inode * inode
153 {
154 struct page *page = NULL;
155 unsigned long i, npages = dir_pages(inode);
156 + int dir_has_error = 0;
158 for (i = 0; i < npages; i++) {
159 char *kaddr;
160 ext2_dirent * de;
161 - page = ext2_get_page(inode, i);
162 + page = ext2_get_page(inode, i, dir_has_error);
164 - if (IS_ERR(page))
165 + if (IS_ERR(page)) {
166 + dir_has_error = 1;
167 continue;
168 + }
170 kaddr = page_address(page);
171 de = (ext2_dirent *)kaddr;