bfs: add some basic sanity checks

bfs_fill_super() already touches all inodes, so we can easily add some
cheap sanity checks and check if the inode start and end blocks are
smaller than the maximum number of blocks, the inode start block lies
behind the end block or the file end offset is behind the end of the
filesystem.  Also check if the start of data offset in the super block
fits the filesystem.

The added sanity checks catch softlockup issues early when we try to
sb_bread() lots of blocks in a loop in bfs_readdir() and bfs_find_entry().
 In addition an oom issue in bfs_fill_super() is prevented by this when
s_start is corrupted, which influences imap_len and we try to allocate a
huge info->si_imap.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Acked-by: Tigran Aivazian <tigran@aivazian.fsnet.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c
index 0ed57b5ee012c362fe298f7b7be24cfd49121e2d..1d2bfafcad7c64778fb531d465b1bf22b8ceffd3 100644 (file)
--- a/fs/bfs/inode.c
+++ b/fs/bfs/inode.c
@@ -213,6 +213,9 @@ static void bfs_put_super(struct super_block *s)
 {
        struct bfs_sb_info *info = BFS_SB(s);
 
+       if (!info)
+               return;
+
        brelse(info->si_sbh);
        mutex_destroy(&info->bfs_lock);
        kfree(info->si_imap);
@@ -327,6 +330,7 @@ static int bfs_fill_super(struct super_block *s, void *data, int silent)
        unsigned i, imap_len;
        struct bfs_sb_info *info;
        long ret = -EINVAL;
+       unsigned long i_sblock, i_eblock, i_eoff, s_size;
 
        info = kzalloc(sizeof(*info), GFP_KERNEL);
        if (!info)
@@ -350,6 +354,12 @@ static int bfs_fill_super(struct super_block *s, void *data, int silent)
 
        s->s_magic = BFS_MAGIC;
        info->si_sbh = bh;
+
+       if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
+               printf("Superblock is corrupted\n");
+               goto out;
+       }
+
        info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) /
                                        sizeof(struct bfs_inode)
                                        + BFS_ROOT_INO - 1;
@@ -397,6 +407,29 @@ static int bfs_fill_super(struct super_block *s, void *data, int silent)
 
                di = (struct bfs_inode *)bh->b_data + off;
 
+               /* test if filesystem is not corrupted */
+
+               i_eoff = le32_to_cpu(di->i_eoffset);
+               i_sblock = le32_to_cpu(di->i_sblock);
+               i_eblock = le32_to_cpu(di->i_eblock);
+               s_size = le32_to_cpu(bfs_sb->s_end);
+
+               if (i_sblock > info->si_blocks ||
+                       i_eblock > info->si_blocks ||
+                       i_sblock > i_eblock ||
+                       i_eoff > s_size ||
+                       i_sblock * BFS_BSIZE > i_eoff) {
+
+                       printf("Inode 0x%08x corrupted\n", i);
+
+                       brelse(bh);
+                       s->s_root = NULL;
+                       kfree(info->si_imap);
+                       kfree(info);
+                       s->s_fs_info = NULL;
+                       return -EIO;
+               }
+
                if (!di->i_ino) {
                        info->si_freei++;
                        continue;