diff --git a/xfsprogs-3.0.1-overflows.patch b/xfsprogs-3.0.1-overflows.patch new file mode 100644 index 0000000..f10b7ec --- /dev/null +++ b/xfsprogs-3.0.1-overflows.patch @@ -0,0 +1,84 @@ +From: Eric Sandeen +Date: Thu, 2 Jul 2009 05:29:36 +0000 (-0500) +Subject: xfs_repair: fix agcount*agblocks overflows +X-Git-Url: http://git.kernel.org/?p=fs%2Fxfs%2Fxfsprogs-dev.git;a=commitdiff_plain;h=003e8e41124707f55b20b376a6359dc7f6292991 + +xfs_repair: fix agcount*agblocks overflows + +The last test in verify_ag_bno() may overflow: + +return (agbno >= (sbp->sb_dblocks - + ((sbp->sb_agcount - 1) * sbp->sb_agblocks))); + +because sb_agcount & sb_agblocks are 32-bit integers; this +may then miss corrupt agbnos for the last ag, which can in +turn lead to out of bounds memory accesses later, for example +when the block nr is used to offset in set_agbno_state(): + + addr = ba_bmap[(agno)] + (ag_blockno)/XR_BB_NUM; + +Similar problems in mk_incore_fstree + +Reported-by: Jesse Stroik +Signed-off-by: Eric Sandeen +Reviewed-by: Felix Blyakher +--- + + +From: Eric Sandeen +Date: Mon, 6 Jul 2009 19:53:35 +0000 (-0500) +Subject: xfs_metadump: agcount*agblocks overflow +X-Git-Url: http://git.kernel.org/?p=fs%2Fxfs%2Fxfsprogs-dev.git;a=commitdiff_plain;h=66be354ed0dfb73566f504ac7301fab7915e9475 + +xfs_metadump: agcount*agblocks overflow + +Found another potential overflow in xfs_metadump, +similar to those just fixed in repair. + +Signed-off-by: Eric Sandeen +Reviewed-by: Christoph Hellwig +--- + +diff --git a/repair/dinode.c b/repair/dinode.c +index fdf52db..84e1d05 100644 +--- a/repair/dinode.c ++++ b/repair/dinode.c +@@ -319,7 +319,8 @@ verify_ag_bno(xfs_sb_t *sbp, + return (agbno >= sbp->sb_agblocks); + if (agno == (sbp->sb_agcount - 1)) + return (agbno >= (sbp->sb_dblocks - +- ((sbp->sb_agcount - 1) * sbp->sb_agblocks))); ++ ((xfs_drfsbno_t)(sbp->sb_agcount - 1) * ++ sbp->sb_agblocks))); + return 1; + } + +diff --git a/repair/phase5.c b/repair/phase5.c +index 2c243b6..26f5aa2 100644 +--- a/repair/phase5.c ++++ b/repair/phase5.c +@@ -113,7 +113,8 @@ mk_incore_fstree(xfs_mount_t *mp, xfs_agnumber_t agno) + ag_end = mp->m_sb.sb_agblocks; + else + ag_end = mp->m_sb.sb_dblocks - +- mp->m_sb.sb_agblocks * (mp->m_sb.sb_agcount - 1); ++ (xfs_drfsbno_t)mp->m_sb.sb_agblocks * ++ (mp->m_sb.sb_agcount - 1); + + /* + * ok, now find the number of extents, keep track of the +diff --git a/db/metadump.c b/db/metadump.c +index 19aed4f..ef6e571 100644 +--- a/db/metadump.c ++++ b/db/metadump.c +@@ -222,7 +222,8 @@ valid_bno( + return 1; + if (agno == (mp->m_sb.sb_agcount - 1) && agbno > 0 && + agbno <= (mp->m_sb.sb_dblocks - +- (mp->m_sb.sb_agcount - 1) * mp->m_sb.sb_agblocks)) ++ (xfs_drfsbno_t)(mp->m_sb.sb_agcount - 1) * ++ mp->m_sb.sb_agblocks)) + return 1; + + return 0; + diff --git a/xfsprogs.spec b/xfsprogs.spec index 05e6686..a03f383 100644 --- a/xfsprogs.spec +++ b/xfsprogs.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing the XFS filesystem Name: xfsprogs Version: 3.0.1 -Release: 8%{?dist} +Release: 9%{?dist} # Licensing based on generic "GNU GENERAL PUBLIC LICENSE" # in source, with no mention of version. # doc/COPYING file specifies what is GPL and what is LGPL @@ -20,8 +20,9 @@ Conflicts: xfsdump < 3.0.1 # These are upstream Patch0: xfsprogs-3.0.1-readline.patch Patch1: xfsprogs-3.0.1-fallocate.patch +Patch2: xfsprogs-3.0.1-overflows.patch # This one, not yet -Patch2: xfsprogs-3.0.1-mkfs-lazy-count-default.patch +Patch3: xfsprogs-3.0.1-mkfs-lazy-count-default.patch %description A set of commands to use the XFS filesystem, including mkfs.xfs. @@ -69,6 +70,7 @@ in building or running the xfstests QA suite. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build export tagname=CC DEBUG=-DNDEBUG @@ -195,6 +197,9 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/xfs/xfs_types.h %changelog +* Tue Jun 30 2009 Eric Sandeen 3.0.1-9 +- Fix block overflows in xfs_repair and xfs_metadump + * Tue Jun 30 2009 Eric Sandeen 3.0.1-8 - Fix up build-requires after e2fsprogs splitup