Commit f44ec6f3 authored by Eric Sandeen's avatar Eric Sandeen Committed by Linus Torvalds
Browse files

limit minixfs printks on corrupted dir i_size 

This attempts to address CVE-2006-6058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058

first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html



Essentially a corrupted minix dir inode reporting a very large
i_size will loop for a very long time in minix_readdir, minix_find_entry,
etc, because on EIO they just move on to try the next page.  This is
under the BKL, printk-storming as well.  This can lock up the machine
for a very long time.  Simply ratelimiting the printks gets things back
under control.  Make the message a bit more informative while we're here.

Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
Cc: Bodo Eggert <7eggert@gmx.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent d8ea6cf8

fs/minix/itree_v1.c

+7 −2
Original line number Diff line number Diff line
@@ -23,11 +23,16 @@ static inline block_t *i_data(struct inode *inode) 
static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])

{

	int n = 0;

	char b[BDEVNAME_SIZE];



	if (block < 0) {

		printk("minix_bmap: block<0\n");

		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",

			block, bdevname(inode->i_sb->s_bdev, b));

	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {

		printk("minix_bmap: block>big\n");

		if (printk_ratelimit())

			printk("MINIX-fs: block_to_path: "

			       "block %ld too big on dev %s\n",

				block, bdevname(inode->i_sb->s_bdev, b));

	} else if (block < 7) {

		offsets[n++] = block;

	} else if ((block -= 7) < 512) {

fs/minix/itree_v2.c

+7 −2
Original line number Diff line number Diff line
@@ -23,12 +23,17 @@ static inline block_t *i_data(struct inode *inode) 
static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])

{

	int n = 0;

	char b[BDEVNAME_SIZE];

	struct super_block *sb = inode->i_sb;



	if (block < 0) {

		printk("minix_bmap: block<0\n");

		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",

			block, bdevname(sb->s_bdev, b));

	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {

		printk("minix_bmap: block>big\n");

		if (printk_ratelimit())

			printk("MINIX-fs: block_to_path: "

			       "block %ld too big on dev %s\n",

				block, bdevname(sb->s_bdev, b));

	} else if (block < 7) {

		offsets[n++] = block;

	} else if ((block -= 7) < 256) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE