Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 27 Jul 2019 19:29:23 +0000 (UTC)
From:      Fedor Uporov <fsu@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r350384 - stable/12/sys/fs/ext2fs
Message-ID:  <201907271929.x6RJTNS3049246@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: fsu
Date: Sat Jul 27 19:29:23 2019
New Revision: 350384
URL: https://svnweb.freebsd.org/changeset/base/350384

Log:
  MFC r349800,r349801:
  
  Fix misc fs fuzzing issues.
  
  Reported by:    Christopher Krah, Thomas Barabosch, and Jan-Niclas Hilgert of Fraunhofer FKIE
  Reported as:    FS-22-EXT2-9: Denial of service in ftruncate-0 (ext2_balloc)
                  FS-11-EXT2-6: Denial Of Service in write-1 (ext2_balloc)

Modified:
  stable/12/sys/fs/ext2fs/ext2_balloc.c

Modified: stable/12/sys/fs/ext2fs/ext2_balloc.c
==============================================================================
--- stable/12/sys/fs/ext2fs/ext2_balloc.c	Sat Jul 27 18:07:46 2019	(r350383)
+++ stable/12/sys/fs/ext2fs/ext2_balloc.c	Sat Jul 27 19:29:23 2019	(r350384)
@@ -62,7 +62,7 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si
 	struct buf *bp = NULL;
 	struct vnode *vp = ITOV(ip);
 	daddr_t newblk;
-	int osize, nsize, blks, error, allocated;
+	int blks, error, allocated;
 
 	fs = ip->i_e2fs;
 	blks = howmany(size, fs->e2fs_bsize);
@@ -72,47 +72,22 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si
 		return (error);
 
 	if (allocated) {
-		if (ip->i_size < (lbn + 1) * fs->e2fs_bsize)
-			nsize = fragroundup(fs, size);
-		else
-			nsize = fs->e2fs_bsize;
-
-		bp = getblk(vp, lbn, nsize, 0, 0, 0);
+		bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0);
 		if(!bp)
 			return (EIO);
-
-		bp->b_blkno = fsbtodb(fs, newblk);
-		if (flags & BA_CLRBUF)
-			vfs_bio_clrbuf(bp);
 	} else {
-		if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
-
-			error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
-			if (error) {
-				brelse(bp);
-				return (error);
-			}
-			bp->b_blkno = fsbtodb(fs, newblk);
-			*bpp = bp;
-			return (0);
-		}
-
-		/*
-		 * Consider need to reallocate a fragment.
-		 */
-		osize = fragroundup(fs, blkoff(fs, ip->i_size));
-		nsize = fragroundup(fs, size);
-		if (nsize <= osize)
-			error = bread(vp, lbn, osize, NOCRED, &bp);
-		else
-			error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
+		error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
 		if (error) {
 			brelse(bp);
 			return (error);
 		}
-		bp->b_blkno = fsbtodb(fs, newblk);
 	}
 
+
+	bp->b_blkno = fsbtodb(fs, newblk);
+	if (flags & BA_CLRBUF)
+		vfs_bio_clrbuf(bp);
+
 	*bpp = bp;
 
 	return (error);
@@ -134,7 +109,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
 	struct indir indirs[EXT2_NIADDR + 2];
 	e4fs_daddr_t nb, newb;
 	e2fs_daddr_t *bap, pref;
-	int osize, nsize, num, i, error;
+	int num, i, error;
 
 	*bpp = NULL;
 	if (lbn < 0)
@@ -164,53 +139,22 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
 		 * no new block is to be allocated, and no need to expand
 		 * the file
 		 */
-		if (nb != 0 && ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+		if (nb != 0) {
 			error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp);
 			if (error) {
 				brelse(bp);
 				return (error);
 			}
 			bp->b_blkno = fsbtodb(fs, nb);
-			*bpp = bp;
-			return (0);
-		}
-		if (nb != 0) {
-			/*
-			 * Consider need to reallocate a fragment.
-			 */
-			osize = fragroundup(fs, blkoff(fs, ip->i_size));
-			nsize = fragroundup(fs, size);
-			if (nsize <= osize) {
-				error = bread(vp, lbn, osize, NOCRED, &bp);
-				if (error) {
-					brelse(bp);
-					return (error);
-				}
-				bp->b_blkno = fsbtodb(fs, nb);
-			} else {
-				/*
-				 * Godmar thinks: this shouldn't happen w/o
-				 * fragments
-				 */
-				printf("nsize %d(%d) > osize %d(%d) nb %d\n",
-				    (int)nsize, (int)size, (int)osize,
-				    (int)ip->i_size, (int)nb);
-				panic(
-				    "ext2_balloc: Something is terribly wrong");
-/*
- * please note there haven't been any changes from here on -
- * FFS seems to work.
- */
+			if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) {
+				*bpp = bp;
+				return (0);
 			}
 		} else {
-			if (ip->i_size < (lbn + 1) * fs->e2fs_bsize)
-				nsize = fragroundup(fs, size);
-			else
-				nsize = fs->e2fs_bsize;
 			EXT2_LOCK(ump);
 			error = ext2_alloc(ip, lbn,
 			    ext2_blkpref(ip, lbn, (int)lbn, &ip->i_db[0], 0),
-			    nsize, cred, &newb);
+			    fs->e2fs_bsize, cred, &newb);
 			if (error)
 				return (error);
 			/*
@@ -219,7 +163,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
 			 */
 			if (newb > UINT_MAX)
 				return (EFBIG);
-			bp = getblk(vp, lbn, nsize, 0, 0, 0);
+			bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0);
 			bp->b_blkno = fsbtodb(fs, newb);
 			if (flags & BA_CLRBUF)
 				vfs_bio_clrbuf(bp);
@@ -308,7 +252,6 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size
 		 */
 		if ((error = bwrite(nbp)) != 0) {
 			ext2_blkfree(ip, nb, fs->e2fs_bsize);
-			EXT2_UNLOCK(ump);
 			brelse(bp);
 			return (error);
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907271929.x6RJTNS3049246>