Author: fsu
Date: Sat Jul 27 19:29:28 2019
New Revision: 350385
URL: https://svnweb.freebsd.org/changeset/base/350385
Log:
MFC r349800,r349801,r349802:
Fix misc fs fuzzing issues.
Reported by: Christopher Krah, Thomas Barabosch, and Jan-Niclas Hilgert of
Fraunhofer FKIE
Reported as: FS-27-EXT2-12: Denial of Service in openat-0
(vm_fault_hold/ext2_clusteracct)
FS-22-EXT2-9: Denial of service in ftruncate-0 (ext2_balloc)
FS-11-EXT2-6: Denial Of Service in write-1 (ext2_balloc)
Modified:
stable/11/sys/fs/ext2fs/ext2_balloc.c
stable/11/sys/fs/ext2fs/ext2_vfsops.c
Modified: stable/11/sys/fs/ext2fs/ext2_balloc.c
==============================================================================
--- stable/11/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 19:29:23 2019
(r350384)
+++ stable/11/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 19:29:28 2019
(r350385)
@@ -67,7 +67,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
struct indir indirs[NIADDR + 2];
e4fs_daddr_t nb, newb;
e2fs_daddr_t *bap, pref;
- int osize, nsize, num, i, error;
+ int num, i, error;
*bpp = NULL;
if (lbn < 0)
@@ -93,56 +93,25 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
* no new block is to be allocated, and no need to expand
* the file
*/
- if (nb != 0 && ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+ if (nb != 0) {
error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
if (error) {
brelse(bp);
return (error);
}
bp->b_blkno = fsbtodb(fs, nb);
- *bpp = bp;
- return (0);
- }
- if (nb != 0) {
- /*
- * Consider need to reallocate a fragment.
- */
- osize = fragroundup(fs, blkoff(fs, ip->i_size));
- nsize = fragroundup(fs, size);
- if (nsize <= osize) {
- error = bread(vp, lbn, osize, NOCRED, &bp);
- if (error) {
- brelse(bp);
- return (error);
- }
- bp->b_blkno = fsbtodb(fs, nb);
- } else {
- /*
- * Godmar thinks: this shouldn't happen w/o
- * fragments
- */
- printf("nsize %d(%d) > osize %d(%d) nb %d\n",
- (int)nsize, (int)size, (int)osize,
- (int)ip->i_size, (int)nb);
- panic(
- "ext2_balloc: Something is terribly wrong");
-/*
- * please note there haven't been any changes from here on -
- * FFS seems to work.
- */
+ if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+ *bpp = bp;
+ return (0);
}
} else {
- if (ip->i_size < (lbn + 1) * fs->e2fs_bsize)
- nsize = fragroundup(fs, size);
- else
- nsize = fs->e2fs_bsize;
EXT2_LOCK(ump);
error = ext2_alloc(ip, lbn,
ext2_blkpref(ip, lbn, (int)lbn, &ip->i_db[0], 0),
- nsize, cred, &newb);
+ fs->e2fs_bsize, cred, &newb);
if (error)
return (error);
- bp = getblk(vp, lbn, nsize, 0, 0, 0);
+ bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0);
bp->b_blkno = fsbtodb(fs, newb);
if (flags & BA_CLRBUF)
vfs_bio_clrbuf(bp);
@@ -227,7 +196,6 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
*/
if ((error = bwrite(nbp)) != 0) {
ext2_blkfree(ip, nb, fs->e2fs_bsize);
- EXT2_UNLOCK(ump);
brelse(bp);
return (error);
}
Modified: stable/11/sys/fs/ext2fs/ext2_vfsops.c
==============================================================================
--- stable/11/sys/fs/ext2fs/ext2_vfsops.c Sat Jul 27 19:29:23 2019
(r350384)
+++ stable/11/sys/fs/ext2fs/ext2_vfsops.c Sat Jul 27 19:29:28 2019
(r350385)
@@ -375,8 +375,11 @@ compute_sb_data(struct vnode *devvp, struct ext2fs *es
return (EINVAL);
}
/* Check for group size */
- if (fs->e2fs_bpg == 0) {
- printf("ext2fs: zero blocks per group\n");
+ if (fs->e2fs_bpg == 0 || fs->e2fs_fpg == 0) {
+ printf("ext2fs: zero blocks/fragments per group");
+ return (EINVAL);
+ } else if (fs->e2fs_bpg != fs->e2fs_fpg) {
+ printf("ext2fs: blocks per group not equal fragments per
group");
return (EINVAL);
}
if (fs->e2fs_bpg != fs->e2fs_bsize * 8) {
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
