mirror of https://github.com/torvalds/linux.git
957ed60b53
Each inode of nilfs2 stores a root node of a b-tree, and it turned out to have a memory overrun issue: Each b-tree node of nilfs2 stores a set of key-value pairs and the number of them (in "bn_nchildren" member of nilfs_btree_node struct), as well as a few other "bn_*" members. Since the value of "bn_nchildren" is used for operations on the key-values within the b-tree node, it can cause memory access overrun if a large number is incorrectly set to "bn_nchildren". For instance, nilfs_btree_node_lookup() function determines the range of binary search with it, and too large "bn_nchildren" leads nilfs_btree_node_get_key() in that function to overrun. As for intermediate b-tree nodes, this is prevented by a sanity check performed when each node is read from a drive, however, no sanity check has been done for root nodes stored in inodes. This patch fixes the issue by adding missing sanity check against b-tree root nodes so that it's called when on-memory inodes are read from ifile, inode metadata file. Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| alloc.c | ||
| alloc.h | ||
| bmap.c | ||
| bmap.h | ||
| btnode.c | ||
| btnode.h | ||
| btree.c | ||
| btree.h | ||
| cpfile.c | ||
| cpfile.h | ||
| dat.c | ||
| dat.h | ||
| dir.c | ||
| direct.c | ||
| direct.h | ||
| export.h | ||
| file.c | ||
| gcinode.c | ||
| ifile.c | ||
| ifile.h | ||
| inode.c | ||
| ioctl.c | ||
| mdt.c | ||
| mdt.h | ||
| namei.c | ||
| nilfs.h | ||
| page.c | ||
| page.h | ||
| recovery.c | ||
| segbuf.c | ||
| segbuf.h | ||
| segment.c | ||
| segment.h | ||
| sufile.c | ||
| sufile.h | ||
| super.c | ||
| sysfs.c | ||
| sysfs.h | ||
| the_nilfs.c | ||
| the_nilfs.h | ||