[SCSI] gdth: Prevent negative offsets in ioctl CVE-2009-3080
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / fs / squashfs / block.c
blob2a79603103492220c85c8828efba9a6b9e15c66d
1 /*
2 * Squashfs - a compressed read only filesystem for Linux
4 * Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008
5 * Phillip Lougher <phillip@lougher.demon.co.uk>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2,
10 * or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21 * block.c
25 * This file implements the low-level routines to read and decompress
26 * datablocks and metadata blocks.
29 #include <linux/fs.h>
30 #include <linux/vfs.h>
31 #include <linux/slab.h>
32 #include <linux/mutex.h>
33 #include <linux/string.h>
34 #include <linux/buffer_head.h>
35 #include <linux/zlib.h>
37 #include "squashfs_fs.h"
38 #include "squashfs_fs_sb.h"
39 #include "squashfs_fs_i.h"
40 #include "squashfs.h"
43 * Read the metadata block length, this is stored in the first two
44 * bytes of the metadata block.
46 static struct buffer_head *get_block_length(struct super_block *sb,
47 u64 *cur_index, int *offset, int *length)
49 struct squashfs_sb_info *msblk = sb->s_fs_info;
50 struct buffer_head *bh;
52 bh = sb_bread(sb, *cur_index);
53 if (bh == NULL)
54 return NULL;
56 if (msblk->devblksize - *offset == 1) {
57 *length = (unsigned char) bh->b_data[*offset];
58 put_bh(bh);
59 bh = sb_bread(sb, ++(*cur_index));
60 if (bh == NULL)
61 return NULL;
62 *length |= (unsigned char) bh->b_data[0] << 8;
63 *offset = 1;
64 } else {
65 *length = (unsigned char) bh->b_data[*offset] |
66 (unsigned char) bh->b_data[*offset + 1] << 8;
67 *offset += 2;
70 return bh;
75 * Read and decompress a metadata block or datablock. Length is non-zero
76 * if a datablock is being read (the size is stored elsewhere in the
77 * filesystem), otherwise the length is obtained from the first two bytes of
78 * the metadata block. A bit in the length field indicates if the block
79 * is stored uncompressed in the filesystem (usually because compression
80 * generated a larger block - this does occasionally happen with zlib).
82 int squashfs_read_data(struct super_block *sb, void **buffer, u64 index,
83 int length, u64 *next_index, int srclength, int pages)
85 struct squashfs_sb_info *msblk = sb->s_fs_info;
86 struct buffer_head **bh;
87 int offset = index & ((1 << msblk->devblksize_log2) - 1);
88 u64 cur_index = index >> msblk->devblksize_log2;
89 int bytes, compressed, b = 0, k = 0, page = 0, avail;
92 bh = kcalloc((msblk->block_size >> msblk->devblksize_log2) + 1,
93 sizeof(*bh), GFP_KERNEL);
94 if (bh == NULL)
95 return -ENOMEM;
97 if (length) {
99 * Datablock.
101 bytes = -offset;
102 compressed = SQUASHFS_COMPRESSED_BLOCK(length);
103 length = SQUASHFS_COMPRESSED_SIZE_BLOCK(length);
104 if (next_index)
105 *next_index = index + length;
107 TRACE("Block @ 0x%llx, %scompressed size %d, src size %d\n",
108 index, compressed ? "" : "un", length, srclength);
110 if (length < 0 || length > srclength ||
111 (index + length) > msblk->bytes_used)
112 goto read_failure;
114 for (b = 0; bytes < length; b++, cur_index++) {
115 bh[b] = sb_getblk(sb, cur_index);
116 if (bh[b] == NULL)
117 goto block_release;
118 bytes += msblk->devblksize;
120 ll_rw_block(READ, b, bh);
121 } else {
123 * Metadata block.
125 if ((index + 2) > msblk->bytes_used)
126 goto read_failure;
128 bh[0] = get_block_length(sb, &cur_index, &offset, &length);
129 if (bh[0] == NULL)
130 goto read_failure;
131 b = 1;
133 bytes = msblk->devblksize - offset;
134 compressed = SQUASHFS_COMPRESSED(length);
135 length = SQUASHFS_COMPRESSED_SIZE(length);
136 if (next_index)
137 *next_index = index + length + 2;
139 TRACE("Block @ 0x%llx, %scompressed size %d\n", index,
140 compressed ? "" : "un", length);
142 if (length < 0 || length > srclength ||
143 (index + length) > msblk->bytes_used)
144 goto block_release;
146 for (; bytes < length; b++) {
147 bh[b] = sb_getblk(sb, ++cur_index);
148 if (bh[b] == NULL)
149 goto block_release;
150 bytes += msblk->devblksize;
152 ll_rw_block(READ, b - 1, bh + 1);
155 if (compressed) {
156 int zlib_err = 0, zlib_init = 0;
159 * Uncompress block.
162 mutex_lock(&msblk->read_data_mutex);
164 msblk->stream.avail_out = 0;
165 msblk->stream.avail_in = 0;
167 bytes = length;
168 do {
169 if (msblk->stream.avail_in == 0 && k < b) {
170 avail = min(bytes, msblk->devblksize - offset);
171 bytes -= avail;
172 wait_on_buffer(bh[k]);
173 if (!buffer_uptodate(bh[k]))
174 goto release_mutex;
176 if (avail == 0) {
177 offset = 0;
178 put_bh(bh[k++]);
179 continue;
182 msblk->stream.next_in = bh[k]->b_data + offset;
183 msblk->stream.avail_in = avail;
184 offset = 0;
187 if (msblk->stream.avail_out == 0 && page < pages) {
188 msblk->stream.next_out = buffer[page++];
189 msblk->stream.avail_out = PAGE_CACHE_SIZE;
192 if (!zlib_init) {
193 zlib_err = zlib_inflateInit(&msblk->stream);
194 if (zlib_err != Z_OK) {
195 ERROR("zlib_inflateInit returned"
196 " unexpected result 0x%x,"
197 " srclength %d\n", zlib_err,
198 srclength);
199 goto release_mutex;
201 zlib_init = 1;
204 zlib_err = zlib_inflate(&msblk->stream, Z_SYNC_FLUSH);
206 if (msblk->stream.avail_in == 0 && k < b)
207 put_bh(bh[k++]);
208 } while (zlib_err == Z_OK);
210 if (zlib_err != Z_STREAM_END) {
211 ERROR("zlib_inflate error, data probably corrupt\n");
212 goto release_mutex;
215 zlib_err = zlib_inflateEnd(&msblk->stream);
216 if (zlib_err != Z_OK) {
217 ERROR("zlib_inflate error, data probably corrupt\n");
218 goto release_mutex;
220 length = msblk->stream.total_out;
221 mutex_unlock(&msblk->read_data_mutex);
222 } else {
224 * Block is uncompressed.
226 int i, in, pg_offset = 0;
228 for (i = 0; i < b; i++) {
229 wait_on_buffer(bh[i]);
230 if (!buffer_uptodate(bh[i]))
231 goto block_release;
234 for (bytes = length; k < b; k++) {
235 in = min(bytes, msblk->devblksize - offset);
236 bytes -= in;
237 while (in) {
238 if (pg_offset == PAGE_CACHE_SIZE) {
239 page++;
240 pg_offset = 0;
242 avail = min_t(int, in, PAGE_CACHE_SIZE -
243 pg_offset);
244 memcpy(buffer[page] + pg_offset,
245 bh[k]->b_data + offset, avail);
246 in -= avail;
247 pg_offset += avail;
248 offset += avail;
250 offset = 0;
251 put_bh(bh[k]);
255 kfree(bh);
256 return length;
258 release_mutex:
259 mutex_unlock(&msblk->read_data_mutex);
261 block_release:
262 for (; k < b; k++)
263 put_bh(bh[k]);
265 read_failure:
266 ERROR("squashfs_read_data failed to read block 0x%llx\n",
267 (unsigned long long) index);
268 kfree(bh);
269 return -EIO;