linux/fs/jbd2
Darrick J. Wong e531d0bceb jbd2: fix r_count overflows leading to buffer overflow in journal recovery
The journal revoke block recovery code does not check r_count for
sanity, which means that an evil value of r_count could result in
the kernel reading off the end of the revoke table and into whatever
garbage lies beyond.  This could crash the kernel, so fix that.

However, in testing this fix, I discovered that the code to write
out the revoke tables also was not correctly checking to see if the
block was full -- the current offset check is fine so long as the
revoke table space size is a multiple of the record size, but this
is not true when either journal_csum_v[23] are set.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@vger.kernel.org
2015-05-14 19:11:50 -04:00
..
Kconfig jbd2: remove debug dependency on debug_fs and update Kconfig help text 2013-06-12 23:07:51 -04:00
Makefile [PATCH] jbd2: rename jbd2 symbols to avoid duplication of jbd symbols 2006-10-11 11:14:15 -07:00
checkpoint.c jbd2: simplify calling convention around __jbd2_journal_clean_checkpoint_list 2014-09-18 00:58:12 -04:00
commit.c jbd2: fix descriptor block size handling errors with journal_csum 2014-08-28 22:22:29 -04:00
journal.c Lots of bugs fixes, including Zheng and Jan's extent status shrinker 2014-12-12 09:28:03 -08:00
recovery.c jbd2: fix r_count overflows leading to buffer overflow in journal recovery 2015-05-14 19:11:50 -04:00
revoke.c jbd2: fix r_count overflows leading to buffer overflow in journal recovery 2015-05-14 19:11:50 -04:00
transaction.c ext4: fix NULL pointer dereference when journal restart fails 2015-05-14 18:55:18 -04:00