summaryrefslogtreecommitdiffstats
path: root/fs/ext4/dir.c
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2019-12-02 18:02:13 +0100
committerTheodore Ts'o <tytso@mit.edu>2019-12-14 23:22:45 +0100
commit109ba779d6cca2d519c5dd624a3276d03e21948e (patch)
treebdcda5c6a7e922dc12a8f852421c86f4c3e40b74 /fs/ext4/dir.c
parentext4: fix ext4_empty_dir() for directories with holes (diff)
downloadlinux-109ba779d6cca2d519c5dd624a3276d03e21948e.tar.xz
linux-109ba779d6cca2d519c5dd624a3276d03e21948e.zip
ext4: check for directory entries too close to block end
ext4_check_dir_entry() currently does not catch a case when a directory entry ends so close to the block end that the header of the next directory entry would not fit in the remaining space. This can lead to directory iteration code trying to access address beyond end of current buffer head leading to oops. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'fs/ext4/dir.c')
-rw-r--r--fs/ext4/dir.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
index 9fdd2b269d61..6305d5ec25af 100644
--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -81,6 +81,11 @@ int __ext4_check_dir_entry(const char *function, unsigned int line,
error_msg = "rec_len is too small for name_len";
else if (unlikely(((char *) de - buf) + rlen > size))
error_msg = "directory entry overrun";
+ else if (unlikely(((char *) de - buf) + rlen >
+ size - EXT4_DIR_REC_LEN(1) &&
+ ((char *) de - buf) + rlen != size)) {
+ error_msg = "directory entry too close to block end";
+ }
else if (unlikely(le32_to_cpu(de->inode) >
le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
error_msg = "inode out of bounds";