Author: fsu
Date: Sat Jul 27 19:29:23 2019
New Revision: 350384
URL: https://svnweb.freebsd.org/changeset/base/350384
Log:
MFC r349800,r349801:
Fix misc fs fuzzing issues.
Reported by: Christopher Krah, Thomas Barabosch, and Jan-Niclas Hilgert of
Fraunhofer FKIE
Reported as: FS-22-EXT2-9: Denial of service in ftruncate-0 (ext2_balloc)
FS-11-EXT2-6: Denial Of Service in write-1 (ext2_balloc)
Modified:
stable/12/sys/fs/ext2fs/ext2_balloc.c
Modified: stable/12/sys/fs/ext2fs/ext2_balloc.c
==============================================================================
--- stable/12/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 18:07:46 2019
(r350383)
+++ stable/12/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 19:29:23 2019
(r350384)
@@ -62,7 +62,7 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si
struct buf *bp = NULL;
struct vnode *vp = ITOV(ip);
daddr_t newblk;
- int osize, nsize, blks, error, allocated;
+ int blks, error, allocated;
fs = ip->i_e2fs;
blks = howmany(size, fs->e2fs_bsize);
@@ -72,47 +72,22 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si
return (error);
if (allocated) {
- if (ip->i_size < (lbn + 1) * fs->e2fs_bsize)
- nsize = fragroundup(fs, size);
- else
- nsize = fs->e2fs_bsize;
-
- bp = getblk(vp, lbn, nsize, 0, 0, 0);
+ bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0);
if(!bp)
return (EIO);
-
- bp->b_blkno = fsbtodb(fs, newblk);
- if (flags & BA_CLRBUF)
- vfs_bio_clrbuf(bp);
} else {
- if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
-
- error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
- if (error) {
- brelse(bp);
- return (error);
- }
- bp->b_blkno = fsbtodb(fs, newblk);
- *bpp = bp;
- return (0);
- }
-
- /*
- * Consider need to reallocate a fragment.
- */
- osize = fragroundup(fs, blkoff(fs, ip->i_size));
- nsize = fragroundup(fs, size);
- if (nsize <= osize)
- error = bread(vp, lbn, osize, NOCRED, &bp);
- else
- error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
+ error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
if (error) {
brelse(bp);
return (error);
}
- bp->b_blkno = fsbtodb(fs, newblk);
}
+
+ bp->b_blkno = fsbtodb(fs, newblk);
+ if (flags & BA_CLRBUF)
+ vfs_bio_clrbuf(bp);
+
*bpp = bp;
return (error);
@@ -134,7 +109,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
struct indir indirs[EXT2_NIADDR + 2];
e4fs_daddr_t nb, newb;
e2fs_daddr_t *bap, pref;
- int osize, nsize, num, i, error;
+ int num, i, error;
*bpp = NULL;
if (lbn < 0)
@@ -164,53 +139,22 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
* no new block is to be allocated, and no need to expand
* the file
*/
- if (nb != 0 && ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+ if (nb != 0) {
error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
if (error) {
brelse(bp);
return (error);
}
bp->b_blkno = fsbtodb(fs, nb);
- *bpp = bp;
- return (0);
- }
- if (nb != 0) {
- /*
- * Consider need to reallocate a fragment.
- */
- osize = fragroundup(fs, blkoff(fs, ip->i_size));
- nsize = fragroundup(fs, size);
- if (nsize <= osize) {
- error = bread(vp, lbn, osize, NOCRED, &bp);
- if (error) {
- brelse(bp);
- return (error);
- }
- bp->b_blkno = fsbtodb(fs, nb);
- } else {
- /*
- * Godmar thinks: this shouldn't happen w/o
- * fragments
- */
- printf("nsize %d(%d) > osize %d(%d) nb %d\n",
- (int)nsize, (int)size, (int)osize,
- (int)ip->i_size, (int)nb);
- panic(
- "ext2_balloc: Something is terribly wrong");
-/*
- * please note there haven't been any changes from here on -
- * FFS seems to work.
- */
+ if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+ *bpp = bp;
+ return (0);
}
} else {
- if (ip->i_size < (lbn + 1) * fs->e2fs_bsize)
- nsize = fragroundup(fs, size);
- else
- nsize = fs->e2fs_bsize;
EXT2_LOCK(ump);
error = ext2_alloc(ip, lbn,
ext2_blkpref(ip, lbn, (int)lbn, &ip->i_db[0], 0),
- nsize, cred, &newb);
+ fs->e2fs_bsize, cred, &newb);
if (error)
return (error);
/*
@@ -219,7 +163,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
*/
if (newb > UINT_MAX)
return (EFBIG);
- bp = getblk(vp, lbn, nsize, 0, 0, 0);
+ bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0);
bp->b_blkno = fsbtodb(fs, newb);
if (flags & BA_CLRBUF)
vfs_bio_clrbuf(bp);
@@ -308,7 +252,6 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
*/
if ((error = bwrite(nbp)) != 0) {
ext2_blkfree(ip, nb, fs->e2fs_bsize);
- EXT2_UNLOCK(ump);
brelse(bp);
return (error);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
