Jan Kara 410dd3cf4c isofs: Fix unbounded recursion when processing relocated directories
We did not check relocated directory in any way when processing Rock
Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
entry pointing to another CL entry leading to possibly unbounded
recursion in kernel code and thus stack overflow or deadlocks (if there
is a loop created from CL entries).

Fix the problem by not allowing CL entry to point to a directory entry
with CL entry (such use makes no good sense anyway) and by checking
whether CL entry doesn't point to itself.

CC: stable@vger.kernel.org
Reported-by: Chris Evans <cevans@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>
2014-08-19 18:29:30 +02:00

199 lines
6.3 KiB
C

#include <linux/fs.h>
#include <linux/buffer_head.h>
#include <linux/exportfs.h>
#include <linux/iso_fs.h>
#include <asm/unaligned.h>
enum isofs_file_format {
isofs_file_normal = 0,
isofs_file_sparse = 1,
isofs_file_compressed = 2,
};
/*
* iso fs inode data in memory
*/
struct iso_inode_info {
unsigned long i_iget5_block;
unsigned long i_iget5_offset;
unsigned int i_first_extent;
unsigned char i_file_format;
unsigned char i_format_parm[3];
unsigned long i_next_section_block;
unsigned long i_next_section_offset;
off_t i_section_size;
struct inode vfs_inode;
};
/*
* iso9660 super-block data in memory
*/
struct isofs_sb_info {
unsigned long s_ninodes;
unsigned long s_nzones;
unsigned long s_firstdatazone;
unsigned long s_log_zone_size;
unsigned long s_max_size;
int s_rock_offset; /* offset of SUSP fields within SU area */
unsigned char s_joliet_level;
unsigned char s_mapping;
unsigned int s_high_sierra:1;
unsigned int s_rock:2;
unsigned int s_utf8:1;
unsigned int s_cruft:1; /* Broken disks with high byte of length
* containing junk */
unsigned int s_nocompress:1;
unsigned int s_hide:1;
unsigned int s_showassoc:1;
unsigned int s_overriderockperm:1;
unsigned int s_uid_set:1;
unsigned int s_gid_set:1;
umode_t s_fmode;
umode_t s_dmode;
kgid_t s_gid;
kuid_t s_uid;
struct nls_table *s_nls_iocharset; /* Native language support table */
};
#define ISOFS_INVALID_MODE ((umode_t) -1)
static inline struct isofs_sb_info *ISOFS_SB(struct super_block *sb)
{
return sb->s_fs_info;
}
static inline struct iso_inode_info *ISOFS_I(struct inode *inode)
{
return container_of(inode, struct iso_inode_info, vfs_inode);
}
static inline int isonum_711(char *p)
{
return *(u8 *)p;
}
static inline int isonum_712(char *p)
{
return *(s8 *)p;
}
static inline unsigned int isonum_721(char *p)
{
return get_unaligned_le16(p);
}
static inline unsigned int isonum_722(char *p)
{
return get_unaligned_be16(p);
}
static inline unsigned int isonum_723(char *p)
{
/* Ignore bigendian datum due to broken mastering programs */
return get_unaligned_le16(p);
}
static inline unsigned int isonum_731(char *p)
{
return get_unaligned_le32(p);
}
static inline unsigned int isonum_732(char *p)
{
return get_unaligned_be32(p);
}
static inline unsigned int isonum_733(char *p)
{
/* Ignore bigendian datum due to broken mastering programs */
return get_unaligned_le32(p);
}
extern int iso_date(char *, int);
struct inode; /* To make gcc happy */
extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
int get_joliet_filename(struct iso_directory_record *, unsigned char *, struct inode *);
int get_acorn_filename(struct iso_directory_record *, char *, struct inode *);
extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int flags);
extern struct buffer_head *isofs_bread(struct inode *, sector_t);
extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
struct inode *__isofs_iget(struct super_block *sb,
unsigned long block,
unsigned long offset,
int relocated);
static inline struct inode *isofs_iget(struct super_block *sb,
unsigned long block,
unsigned long offset)
{
return __isofs_iget(sb, block, offset, 0);
}
static inline struct inode *isofs_iget_reloc(struct super_block *sb,
unsigned long block,
unsigned long offset)
{
return __isofs_iget(sb, block, offset, 1);
}
/* Because the inode number is no longer relevant to finding the
* underlying meta-data for an inode, we are free to choose a more
* convenient 32-bit number as the inode number. The inode numbering
* scheme was recommended by Sergey Vlasov and Eric Lammerts. */
static inline unsigned long isofs_get_ino(unsigned long block,
unsigned long offset,
unsigned long bufbits)
{
return (block << (bufbits - 5)) | (offset >> 5);
}
/* Every directory can have many redundant directory entries scattered
* throughout the directory tree. First there is the directory entry
* with the name of the directory stored in the parent directory.
* Then, there is the "." directory entry stored in the directory
* itself. Finally, there are possibly many ".." directory entries
* stored in all the subdirectories.
*
* In order for the NFS get_parent() method to work and for the
* general consistency of the dcache, we need to make sure the
* "i_iget5_block" and "i_iget5_offset" all point to exactly one of
* the many redundant entries for each directory. We normalize the
* block and offset by always making them point to the "." directory.
*
* Notice that we do not use the entry for the directory with the name
* that is located in the parent directory. Even though choosing this
* first directory is more natural, it is much easier to find the "."
* entry in the NFS get_parent() method because it is implicitly
* encoded in the "extent + ext_attr_length" fields of _all_ the
* redundant entries for the directory. Thus, it can always be
* reached regardless of which directory entry you have in hand.
*
* This works because the "." entry is simply the first directory
* record when you start reading the file that holds all the directory
* records, and this file starts at "extent + ext_attr_length" blocks.
* Because the "." entry is always the first entry listed in the
* directories file, the normalized "offset" value is always 0.
*
* You should pass the directory entry in "de". On return, "block"
* and "offset" will hold normalized values. Only directories are
* affected making it safe to call even for non-directory file
* types. */
static inline void
isofs_normalize_block_and_offset(struct iso_directory_record* de,
unsigned long *block,
unsigned long *offset)
{
/* Only directories are normalized. */
if (de->flags[0] & 2) {
*offset = 0;
*block = (unsigned long)isonum_733(de->extent)
+ (unsigned long)isonum_711(de->ext_attr_length);
}
}
extern const struct inode_operations isofs_dir_inode_operations;
extern const struct file_operations isofs_dir_operations;
extern const struct address_space_operations isofs_symlink_aops;
extern const struct export_operations isofs_export_ops;