Commit a33e30a0 authored by Zhihao Cheng's avatar Zhihao Cheng Committed by Richard Weinberger
Browse files

ubifs: Pass node length in all node dumping callers 



Function ubifs_dump_node() has been modified to avoid memory oob
accessing while dumping node, node length (corresponding to the
size of allocated memory for node) should be passed into all node
dumping callers.

Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
parent c8be0975

fs/ubifs/commit.c

+2 −2
Original line number Diff line number Diff line
@@ -701,13 +701,13 @@ out: 


out_dump:

	ubifs_err(c, "dumping index node (iip=%d)", i->iip);

	ubifs_dump_node(c, idx);

	ubifs_dump_node(c, idx, ubifs_idx_node_sz(c, c->fanout));

	list_del(&i->list);

	kfree(i);

	if (!list_empty(&list)) {

		i = list_entry(list.prev, struct idx_node, list);

		ubifs_err(c, "dumping parent index node");

		ubifs_dump_node(c, &i->idx);

		ubifs_dump_node(c, &i->idx, ubifs_idx_node_sz(c, c->fanout));

	}

out_free:

	while (!list_empty(&list)) {

fs/ubifs/debug.c

+15 −15
Original line number Diff line number Diff line
@@ -871,7 +871,7 @@ void ubifs_dump_leb(const struct ubifs_info *c, int lnum) 
		cond_resched();

		pr_err("Dumping node at LEB %d:%d len %d\n", lnum,

		       snod->offs, snod->len);

		ubifs_dump_node(c, snod->node);

		ubifs_dump_node(c, snod->node, c->leb_size - snod->offs);

	}



	pr_err("(pid %d) finish dumping LEB %d\n", current->pid, lnum);
@@ -1249,7 +1249,7 @@ static int dbg_check_key_order(struct ubifs_info *c, struct ubifs_zbranch *zbr1, 
		ubifs_err(c, "but it should have key %s according to tnc",

			  dbg_snprintf_key(c, &zbr1->key, key_buf,

					   DBG_KEY_BUF_LEN));

		ubifs_dump_node(c, dent1);

		ubifs_dump_node(c, dent1, UBIFS_MAX_DENT_NODE_SZ);

		goto out_free;

	}
@@ -1261,7 +1261,7 @@ static int dbg_check_key_order(struct ubifs_info *c, struct ubifs_zbranch *zbr1, 
		ubifs_err(c, "but it should have key %s according to tnc",

			  dbg_snprintf_key(c, &zbr2->key, key_buf,

					   DBG_KEY_BUF_LEN));

		ubifs_dump_node(c, dent2);

		ubifs_dump_node(c, dent2, UBIFS_MAX_DENT_NODE_SZ);

		goto out_free;

	}
@@ -1280,9 +1280,9 @@ static int dbg_check_key_order(struct ubifs_info *c, struct ubifs_zbranch *zbr1, 
			  dbg_snprintf_key(c, &key, key_buf, DBG_KEY_BUF_LEN));



	ubifs_msg(c, "first node at %d:%d\n", zbr1->lnum, zbr1->offs);

	ubifs_dump_node(c, dent1);

	ubifs_dump_node(c, dent1, UBIFS_MAX_DENT_NODE_SZ);

	ubifs_msg(c, "second node at %d:%d\n", zbr2->lnum, zbr2->offs);

	ubifs_dump_node(c, dent2);

	ubifs_dump_node(c, dent2, UBIFS_MAX_DENT_NODE_SZ);



out_free:

	kfree(dent2);
@@ -2147,7 +2147,7 @@ out: 


out_dump:

	ubifs_msg(c, "dump of node at LEB %d:%d", zbr->lnum, zbr->offs);

	ubifs_dump_node(c, node);

	ubifs_dump_node(c, node, zbr->len);

out_free:

	kfree(node);

	return err;
@@ -2280,7 +2280,7 @@ out_dump: 


	ubifs_msg(c, "dump of the inode %lu sitting in LEB %d:%d",

		  (unsigned long)fscki->inum, zbr->lnum, zbr->offs);

	ubifs_dump_node(c, ino);

	ubifs_dump_node(c, ino, zbr->len);

	kfree(ino);

	return -EINVAL;

}
@@ -2351,12 +2351,12 @@ int dbg_check_data_nodes_order(struct ubifs_info *c, struct list_head *head) 


		if (sa->type != UBIFS_DATA_NODE) {

			ubifs_err(c, "bad node type %d", sa->type);

			ubifs_dump_node(c, sa->node);

			ubifs_dump_node(c, sa->node, c->leb_size - sa->offs);

			return -EINVAL;

		}

		if (sb->type != UBIFS_DATA_NODE) {

			ubifs_err(c, "bad node type %d", sb->type);

			ubifs_dump_node(c, sb->node);

			ubifs_dump_node(c, sb->node, c->leb_size - sb->offs);

			return -EINVAL;

		}
@@ -2387,8 +2387,8 @@ int dbg_check_data_nodes_order(struct ubifs_info *c, struct list_head *head) 
	return 0;



error_dump:

	ubifs_dump_node(c, sa->node);

	ubifs_dump_node(c, sb->node);

	ubifs_dump_node(c, sa->node, c->leb_size - sa->offs);

	ubifs_dump_node(c, sb->node, c->leb_size - sb->offs);

	return -EINVAL;

}
@@ -2419,13 +2419,13 @@ int dbg_check_nondata_nodes_order(struct ubifs_info *c, struct list_head *head) 
		if (sa->type != UBIFS_INO_NODE && sa->type != UBIFS_DENT_NODE &&

		    sa->type != UBIFS_XENT_NODE) {

			ubifs_err(c, "bad node type %d", sa->type);

			ubifs_dump_node(c, sa->node);

			ubifs_dump_node(c, sa->node, c->leb_size - sa->offs);

			return -EINVAL;

		}

		if (sb->type != UBIFS_INO_NODE && sb->type != UBIFS_DENT_NODE &&

		    sb->type != UBIFS_XENT_NODE) {

			ubifs_err(c, "bad node type %d", sb->type);

			ubifs_dump_node(c, sb->node);

			ubifs_dump_node(c, sb->node, c->leb_size - sb->offs);

			return -EINVAL;

		}
@@ -2475,9 +2475,9 @@ int dbg_check_nondata_nodes_order(struct ubifs_info *c, struct list_head *head) 


error_dump:

	ubifs_msg(c, "dumping first node");

	ubifs_dump_node(c, sa->node);

	ubifs_dump_node(c, sa->node, c->leb_size - sa->offs);

	ubifs_msg(c, "dumping second node");

	ubifs_dump_node(c, sb->node);

	ubifs_dump_node(c, sb->node, c->leb_size - sb->offs);

	return -EINVAL;

}

fs/ubifs/file.c

+1 −1
Original line number Diff line number Diff line
@@ -92,7 +92,7 @@ static int read_block(struct inode *inode, void *addr, unsigned int block, 
dump:

	ubifs_err(c, "bad data node (block %u, inode %lu)",

		  block, inode->i_ino);

	ubifs_dump_node(c, dn);

	ubifs_dump_node(c, dn, UBIFS_MAX_DATA_NODE_SZ);

	return -EINVAL;

}

fs/ubifs/io.c

+11 −12
Original line number Diff line number Diff line
@@ -198,6 +198,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) 
 * ubifs_check_node - check node.

 * @c: UBIFS file-system description object

 * @buf: node to check

 * @len: node length

 * @lnum: logical eraseblock number

 * @offs: offset within the logical eraseblock

 * @quiet: print no messages
@@ -222,8 +223,8 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) 
 * This function returns zero in case of success and %-EUCLEAN in case of bad

 * CRC or magic.

 */

int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,

		     int offs, int quiet, int must_chk_crc)

int ubifs_check_node(const struct ubifs_info *c, const void *buf, int len,

		     int lnum, int offs, int quiet, int must_chk_crc)

{

	int err = -EINVAL, type, node_len;

	uint32_t crc, node_crc, magic;
@@ -281,7 +282,7 @@ out_len: 
out:

	if (!quiet) {

		ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);

		ubifs_dump_node(c, buf);

		ubifs_dump_node(c, buf, len);

		dump_stack();

	}

	return err;
@@ -718,7 +719,7 @@ out_timers: 
int ubifs_wbuf_write_nolock(struct ubifs_wbuf *wbuf, void *buf, int len)

{

	struct ubifs_info *c = wbuf->c;

	int err, written, n, aligned_len = ALIGN(len, 8);

	int err, n, written = 0, aligned_len = ALIGN(len, 8);



	dbg_io("%d bytes (%s) to jhead %s wbuf at LEB %d:%d", len,

	       dbg_ntype(((struct ubifs_ch *)buf)->node_type),
@@ -785,8 +786,6 @@ int ubifs_wbuf_write_nolock(struct ubifs_wbuf *wbuf, void *buf, int len) 
		goto exit;

	}



	written = 0;



	if (wbuf->used) {

		/*

		 * The node is large enough and does not fit entirely within
@@ -887,7 +886,7 @@ exit: 
out:

	ubifs_err(c, "cannot write %d bytes to LEB %d:%d, error %d",

		  len, wbuf->lnum, wbuf->offs, err);

	ubifs_dump_node(c, buf);

	ubifs_dump_node(c, buf, written + len);

	dump_stack();

	ubifs_dump_leb(c, wbuf->lnum);

	return err;
@@ -930,7 +929,7 @@ int ubifs_write_node_hmac(struct ubifs_info *c, void *buf, int len, int lnum, 


	err = ubifs_leb_write(c, lnum, buf, offs, buf_len);

	if (err)

		ubifs_dump_node(c, buf);

		ubifs_dump_node(c, buf, len);



	return err;

}
@@ -1013,7 +1012,7 @@ int ubifs_read_node_wbuf(struct ubifs_wbuf *wbuf, void *buf, int type, int len, 
		goto out;

	}



	err = ubifs_check_node(c, buf, lnum, offs, 0, 0);

	err = ubifs_check_node(c, buf, len, lnum, offs, 0, 0);

	if (err) {

		ubifs_err(c, "expected node type %d", type);

		return err;
@@ -1029,7 +1028,7 @@ int ubifs_read_node_wbuf(struct ubifs_wbuf *wbuf, void *buf, int type, int len, 


out:

	ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);

	ubifs_dump_node(c, buf);

	ubifs_dump_node(c, buf, len);

	dump_stack();

	return -EINVAL;

}
@@ -1069,7 +1068,7 @@ int ubifs_read_node(const struct ubifs_info *c, void *buf, int type, int len, 
		goto out;

	}



	err = ubifs_check_node(c, buf, lnum, offs, 0, 0);

	err = ubifs_check_node(c, buf, len, lnum, offs, 0, 0);

	if (err) {

		ubifs_errc(c, "expected node type %d", type);

		return err;
@@ -1087,7 +1086,7 @@ out: 
	ubifs_errc(c, "bad node at LEB %d:%d, LEB mapping status %d", lnum,

		   offs, ubi_is_mapped(c->ubi, lnum));

	if (!c->probing) {

		ubifs_dump_node(c, buf);

		ubifs_dump_node(c, buf, len);

		dump_stack();

	}

	return -EINVAL;

fs/ubifs/journal.c

+2 −1
Original line number Diff line number Diff line
@@ -1559,7 +1559,8 @@ int ubifs_jnl_truncate(struct ubifs_info *c, const struct inode *inode, 
			if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {

				ubifs_err(c, "bad data node (block %u, inode %lu)",

					  blk, inode->i_ino);

				ubifs_dump_node(c, dn);

				ubifs_dump_node(c, dn, sz - UBIFS_INO_NODE_SZ -

						UBIFS_TRUN_NODE_SZ);

				goto out_free;

			}

CRA Git | Maintained and supported by SUSTech CRA and CCSE