Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1e62ac6b authored by Jan Kara's avatar Jan Kara Committed by Greg Kroah-Hartman
Browse files

ext4: fix ext4_empty_dir() for directories with holes 



commit 64d4ce892383b2ad6d782e080d25502f91bf2a38 upstream.

Function ext4_empty_dir() doesn't correctly handle directories with
holes and crashes on bh->b_data dereference when bh is NULL. Reorganize
the loop to use 'offset' variable all the times instead of comparing
pointers to current direntry with bh->b_data pointer. Also add more
strict checking of '.' and '..' directory entries to avoid entering loop
in possibly invalid state on corrupted filesystems.

References: CVE-2019-19037
CC: stable@vger.kernel.org
Fixes: 4e19d6b65fb4 ("ext4: allow directory holes")
Signed-off-by: default avatarJan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191202170213.4761-2-jack@suse.cz


Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e7a0e839

fs/ext4/namei.c

+18 −14
Original line number Diff line number Diff line
@@ -2693,7 +2693,7 @@ bool ext4_empty_dir(struct inode *inode) 
{

	unsigned int offset;

	struct buffer_head *bh;

	struct ext4_dir_entry_2 *de, *de1;

	struct ext4_dir_entry_2 *de;

	struct super_block *sb;



	if (ext4_has_inline_data(inode)) {
@@ -2718,19 +2718,25 @@ bool ext4_empty_dir(struct inode *inode) 
		return true;



	de = (struct ext4_dir_entry_2 *) bh->b_data;

	de1 = ext4_next_entry(de, sb->s_blocksize);

	if (le32_to_cpu(de->inode) != inode->i_ino ||

			le32_to_cpu(de1->inode) == 0 ||

			strcmp(".", de->name) || strcmp("..", de1->name)) {

		ext4_warning_inode(inode, "directory missing '.' and/or '..'");

	if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,

				 0) ||

	    le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) {

		ext4_warning_inode(inode, "directory missing '.'");

		brelse(bh);

		return true;

	}

	offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);

	de = ext4_next_entry(de, sb->s_blocksize);

	if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,

				 offset) ||

	    le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {

		ext4_warning_inode(inode, "directory missing '..'");

		brelse(bh);

		return true;

	}

	offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) +

		 ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize);

	de = ext4_next_entry(de1, sb->s_blocksize);

	offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);

	while (offset < inode->i_size) {

		if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) {

		if (!(offset & (sb->s_blocksize - 1))) {

			unsigned int lblock;

			brelse(bh);

			lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
@@ -2741,12 +2747,11 @@ bool ext4_empty_dir(struct inode *inode) 
			}

			if (IS_ERR(bh))

				return true;

			de = (struct ext4_dir_entry_2 *) bh->b_data;

		}

		de = (struct ext4_dir_entry_2 *) (bh->b_data +

					(offset & (sb->s_blocksize - 1)));

		if (ext4_check_dir_entry(inode, NULL, de, bh,

					 bh->b_data, bh->b_size, offset)) {

			de = (struct ext4_dir_entry_2 *)(bh->b_data +

							 sb->s_blocksize);

			offset = (offset | (sb->s_blocksize - 1)) + 1;

			continue;

		}
@@ -2755,7 +2760,6 @@ bool ext4_empty_dir(struct inode *inode) 
			return false;

		}

		offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);

		de = ext4_next_entry(de, sb->s_blocksize);

	}

	brelse(bh);

	return true;