Skip to content

Commit 64d4ce8

Browse files
jankaratytso
jankara
authored and
tytso
committed
ext4: fix ext4_empty_dir() for directories with holes
Function ext4_empty_dir() doesn't correctly handle directories with holes and crashes on bh->b_data dereference when bh is NULL. Reorganize the loop to use 'offset' variable all the times instead of comparing pointers to current direntry with bh->b_data pointer. Also add more strict checking of '.' and '..' directory entries to avoid entering loop in possibly invalid state on corrupted filesystems. References: CVE-2019-19037 CC: [email protected] Fixes: 4e19d6b ("ext4: allow directory holes") Signed-off-by: Jan Kara <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]>
1 parent dfdeeb4 commit 64d4ce8

File tree

1 file changed

+18
-14
lines changed

1 file changed

+18
-14
lines changed

fs/ext4/namei.c

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2822,7 +2822,7 @@ bool ext4_empty_dir(struct inode *inode)
28222822
{
28232823
unsigned int offset;
28242824
struct buffer_head *bh;
2825-
struct ext4_dir_entry_2 *de, *de1;
2825+
struct ext4_dir_entry_2 *de;
28262826
struct super_block *sb;
28272827

28282828
if (ext4_has_inline_data(inode)) {
@@ -2847,19 +2847,25 @@ bool ext4_empty_dir(struct inode *inode)
28472847
return true;
28482848

28492849
de = (struct ext4_dir_entry_2 *) bh->b_data;
2850-
de1 = ext4_next_entry(de, sb->s_blocksize);
2851-
if (le32_to_cpu(de->inode) != inode->i_ino ||
2852-
le32_to_cpu(de1->inode) == 0 ||
2853-
strcmp(".", de->name) || strcmp("..", de1->name)) {
2854-
ext4_warning_inode(inode, "directory missing '.' and/or '..'");
2850+
if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
2851+
0) ||
2852+
le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) {
2853+
ext4_warning_inode(inode, "directory missing '.'");
2854+
brelse(bh);
2855+
return true;
2856+
}
2857+
offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
2858+
de = ext4_next_entry(de, sb->s_blocksize);
2859+
if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size,
2860+
offset) ||
2861+
le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) {
2862+
ext4_warning_inode(inode, "directory missing '..'");
28552863
brelse(bh);
28562864
return true;
28572865
}
2858-
offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) +
2859-
ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize);
2860-
de = ext4_next_entry(de1, sb->s_blocksize);
2866+
offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
28612867
while (offset < inode->i_size) {
2862-
if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) {
2868+
if (!(offset & (sb->s_blocksize - 1))) {
28632869
unsigned int lblock;
28642870
brelse(bh);
28652871
lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb);
@@ -2870,12 +2876,11 @@ bool ext4_empty_dir(struct inode *inode)
28702876
}
28712877
if (IS_ERR(bh))
28722878
return true;
2873-
de = (struct ext4_dir_entry_2 *) bh->b_data;
28742879
}
2880+
de = (struct ext4_dir_entry_2 *) (bh->b_data +
2881+
(offset & (sb->s_blocksize - 1)));
28752882
if (ext4_check_dir_entry(inode, NULL, de, bh,
28762883
bh->b_data, bh->b_size, offset)) {
2877-
de = (struct ext4_dir_entry_2 *)(bh->b_data +
2878-
sb->s_blocksize);
28792884
offset = (offset | (sb->s_blocksize - 1)) + 1;
28802885
continue;
28812886
}
@@ -2884,7 +2889,6 @@ bool ext4_empty_dir(struct inode *inode)
28842889
return false;
28852890
}
28862891
offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize);
2887-
de = ext4_next_entry(de, sb->s_blocksize);
28882892
}
28892893
brelse(bh);
28902894
return true;

0 commit comments

Comments
 (0)