releases/3.10.79/nilfs2-fix-sanity-check-of-btree-level-in-nilfs_btree_root_broken.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d8fd150fe3935e1692bf57c66691e17409ebb9c1 Mon Sep 17 00:00:00 2001
 From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
 Date: Tue, 5 May 2015 16:24:00 -0700
 Subject: nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()

 From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

 commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 upstream.

 The range check for b-tree level parameter in nilfs_btree_root_broken()
 is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even
 though the level is limited to values in the range of 0 to
 (NILFS_BTREE_LEVEL_MAX - 1).

 Since the level parameter is read from storage device and used to index
 nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it
 can cause memory overrun during btree operations if the boundary value
 is set to the level parameter on device.

 This fixes the broken sanity check and adds a comment to clarify that
 the upper bound NILFS_BTREE_LEVEL_MAX is exclusive.

 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/nilfs2/btree.c         |    2 +-
  include/linux/nilfs2_fs.h |    2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

 --- a/fs/nilfs2/btree.c
 +++ b/fs/nilfs2/btree.c
 @@ -388,7 +388,7 @@ static int nilfs_btree_root_broken(const
  	nchildren = nilfs_btree_node_get_nchildren(node);

  	if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
 -		     level > NILFS_BTREE_LEVEL_MAX ||
 +		     level >= NILFS_BTREE_LEVEL_MAX ||
  		     nchildren < 0 ||
  		     nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
  		pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
 --- a/include/linux/nilfs2_fs.h
 +++ b/include/linux/nilfs2_fs.h
 @@ -458,7 +458,7 @@ struct nilfs_btree_node {
  /* level */
  #define NILFS_BTREE_LEVEL_DATA          0
  #define NILFS_BTREE_LEVEL_NODE_MIN      (NILFS_BTREE_LEVEL_DATA + 1)
 -#define NILFS_BTREE_LEVEL_MAX           14
 +#define NILFS_BTREE_LEVEL_MAX           14	/* Max level (exclusive) */

  /**
   * struct nilfs_palloc_group_desc - block group descriptor
	From d8fd150fe3935e1692bf57c66691e17409ebb9c1 Mon Sep 17 00:00:00 2001
	From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
	Date: Tue, 5 May 2015 16:24:00 -0700
	Subject: nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()

	From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

	commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 upstream.

	The range check for b-tree level parameter in nilfs_btree_root_broken()
	is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even
	though the level is limited to values in the range of 0 to
	(NILFS_BTREE_LEVEL_MAX - 1).

	Since the level parameter is read from storage device and used to index
	nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it
	can cause memory overrun during btree operations if the boundary value
	is set to the level parameter on device.

	This fixes the broken sanity check and adds a comment to clarify that
	the upper bound NILFS_BTREE_LEVEL_MAX is exclusive.

	Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/nilfs2/btree.c \| 2 +-
	include/linux/nilfs2_fs.h \| 2 +-
	2 files changed, 2 insertions(+), 2 deletions(-)

	--- a/fs/nilfs2/btree.c
	+++ b/fs/nilfs2/btree.c
	@@ -388,7 +388,7 @@ static int nilfs_btree_root_broken(const
	nchildren = nilfs_btree_node_get_nchildren(node);

	if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN \|\|
	- level > NILFS_BTREE_LEVEL_MAX \|\|
	+ level >= NILFS_BTREE_LEVEL_MAX \|\|
	nchildren < 0 \|\|
	nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
	pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
	--- a/include/linux/nilfs2_fs.h
	+++ b/include/linux/nilfs2_fs.h
	@@ -458,7 +458,7 @@ struct nilfs_btree_node {
	/* level */
	#define NILFS_BTREE_LEVEL_DATA 0
	#define NILFS_BTREE_LEVEL_NODE_MIN (NILFS_BTREE_LEVEL_DATA + 1)
	-#define NILFS_BTREE_LEVEL_MAX 14
	+#define NILFS_BTREE_LEVEL_MAX 14 /* Max level (exclusive) */

	/**
	* struct nilfs_palloc_group_desc - block group descriptor