Commit 46c59736 authored Jan 09, 2018 by Darrick J. Wong

xfs: harden directory integrity checks some more



If a malicious filesystem image contains a block+ format directory
wherein the directory inode's core.mode is set such that
S_ISDIR(core.mode) == 0, and if there are subdirectories of the
corrupted directory, an attempt to traverse up the directory tree will
crash the kernel in __xfs_dir3_data_check.  Running the online scrub's
parent checks will tend to do this.

The crash occurs because the directory inode's d_ops get set to
xfs_dir[23]_nondir_ops (it's not a directory) but the parent pointer
scrubber's indiscriminate call to xfs_readdir proceeds past the ASSERT
if we have non fatal asserts configured.

Fix the null pointer dereference crash in __xfs_dir3_data_check by
looking for S_ISDIR or wrong d_ops; and teach the parent scrubber
to bail out if it is fed a non-directory "parent".

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>

parent ac503a4c

fs/xfs/libxfs/xfs_dir2_data.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -73,6 +73,14 @@ __xfs_dir3_data_check(
		*/
		ops = xfs_dir_get_ops(mp, dp);

		/*
		* If this isn't a directory, or we don't get handed the dir ops,
		* something is seriously wrong. Bail out.
		*/
		if ((dp && !S_ISDIR(VFS_I(dp)->i_mode)) \|\|
		ops != xfs_dir_get_ops(mp, NULL))
		return __this_address;

		hdr = bp->b_addr;
		p = (char *)ops->data_entry_p(hdr);

fs/xfs/scrub/parent.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -171,7 +171,7 @@ xfs_scrub_parent_validate(
		error = xfs_iget(mp, sc->tp, dnum, 0, 0, &dp);
		if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, 0, &error))
		goto out;
		if (dp == sc->ip) {
		if (dp == sc->ip \|\| !S_ISDIR(VFS_I(dp)->i_mode)) {
		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
		goto out_rele;
		}

Admin message