Commit ae294787 authored Sep 29, 2018 by Darrick J. Wong Committed by Dave Chinner Sep 29, 2018

xfs: don't crash the vfs on a garbage inline symlink



The VFS routine that calls ->get_link blindly copies whatever's returned
into the user's buffer.  If we return a NULL pointer, the vfs will
crash on the null pointer.  Therefore, return -EFSCORRUPTED instead of
blowing up the kernel.

[dgc: clean up with hch's suggestions]

Reported-by:  <wen.xu@gatech.edu>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

parent 5b394b2d

fs/xfs/xfs_iops.c

+11 −1

Original line number	Diff line number	Diff line
		@@ -471,8 +471,18 @@ xfs_vn_get_link_inline(
		struct inode *inode,
		struct delayed_call *done)
		{
		char *link;

		ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE);
		return XFS_I(inode)->i_df.if_u1.if_data;

		/*
		* The VFS crashes on a NULL pointer, so return -EFSCORRUPTED if
		* if_data is junk.
		*/
		link = XFS_I(inode)->i_df.if_u1.if_data;
		if (!link)
		return ERR_PTR(-EFSCORRUPTED);
		return link;
		}

		STATIC int