From owner-svn-src-stable-12@freebsd.org Sat Jul 27 19:29:24 2019 Return-Path: Delivered-To: svn-src-stable-12@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3432AC0885; Sat, 27 Jul 2019 19:29:24 +0000 (UTC) (envelope-from fsu@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 155D26B75D; Sat, 27 Jul 2019 19:29:24 +0000 (UTC) (envelope-from fsu@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E860042DF; Sat, 27 Jul 2019 19:29:23 +0000 (UTC) (envelope-from fsu@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6RJTNqf049247; Sat, 27 Jul 2019 19:29:23 GMT (envelope-from fsu@FreeBSD.org) Received: (from fsu@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6RJTNS3049246; Sat, 27 Jul 2019 19:29:23 GMT (envelope-from fsu@FreeBSD.org) Message-Id: <201907271929.x6RJTNS3049246@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: fsu set sender to fsu@FreeBSD.org using -f From: Fedor Uporov Date: Sat, 27 Jul 2019 19:29:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r350384 - stable/12/sys/fs/ext2fs X-SVN-Group: stable-12 X-SVN-Commit-Author: fsu X-SVN-Commit-Paths: stable/12/sys/fs/ext2fs X-SVN-Commit-Revision: 350384 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 155D26B75D X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.90 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.90)[-0.904,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-12@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 12-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jul 2019 19:29:24 -0000 Author: fsu Date: Sat Jul 27 19:29:23 2019 New Revision: 350384 URL: https://svnweb.freebsd.org/changeset/base/350384 Log: MFC r349800,r349801: Fix misc fs fuzzing issues. Reported by: Christopher Krah, Thomas Barabosch, and Jan-Niclas Hilgert of Fraunhofer FKIE Reported as: FS-22-EXT2-9: Denial of service in ftruncate-0 (ext2_balloc) FS-11-EXT2-6: Denial Of Service in write-1 (ext2_balloc) Modified: stable/12/sys/fs/ext2fs/ext2_balloc.c Modified: stable/12/sys/fs/ext2fs/ext2_balloc.c ============================================================================== --- stable/12/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 18:07:46 2019 (r350383) +++ stable/12/sys/fs/ext2fs/ext2_balloc.c Sat Jul 27 19:29:23 2019 (r350384) @@ -62,7 +62,7 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si struct buf *bp = NULL; struct vnode *vp = ITOV(ip); daddr_t newblk; - int osize, nsize, blks, error, allocated; + int blks, error, allocated; fs = ip->i_e2fs; blks = howmany(size, fs->e2fs_bsize); @@ -72,47 +72,22 @@ ext2_ext_balloc(struct inode *ip, uint32_t lbn, int si return (error); if (allocated) { - if (ip->i_size < (lbn + 1) * fs->e2fs_bsize) - nsize = fragroundup(fs, size); - else - nsize = fs->e2fs_bsize; - - bp = getblk(vp, lbn, nsize, 0, 0, 0); + bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0); if(!bp) return (EIO); - - bp->b_blkno = fsbtodb(fs, newblk); - if (flags & BA_CLRBUF) - vfs_bio_clrbuf(bp); } else { - if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) { - - error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp); - if (error) { - brelse(bp); - return (error); - } - bp->b_blkno = fsbtodb(fs, newblk); - *bpp = bp; - return (0); - } - - /* - * Consider need to reallocate a fragment. - */ - osize = fragroundup(fs, blkoff(fs, ip->i_size)); - nsize = fragroundup(fs, size); - if (nsize <= osize) - error = bread(vp, lbn, osize, NOCRED, &bp); - else - error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp); + error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp); if (error) { brelse(bp); return (error); } - bp->b_blkno = fsbtodb(fs, newblk); } + + bp->b_blkno = fsbtodb(fs, newblk); + if (flags & BA_CLRBUF) + vfs_bio_clrbuf(bp); + *bpp = bp; return (error); @@ -134,7 +109,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size struct indir indirs[EXT2_NIADDR + 2]; e4fs_daddr_t nb, newb; e2fs_daddr_t *bap, pref; - int osize, nsize, num, i, error; + int num, i, error; *bpp = NULL; if (lbn < 0) @@ -164,53 +139,22 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size * no new block is to be allocated, and no need to expand * the file */ - if (nb != 0 && ip->i_size >= (lbn + 1) * fs->e2fs_bsize) { + if (nb != 0) { error = bread(vp, lbn, fs->e2fs_bsize, NOCRED, &bp); if (error) { brelse(bp); return (error); } bp->b_blkno = fsbtodb(fs, nb); - *bpp = bp; - return (0); - } - if (nb != 0) { - /* - * Consider need to reallocate a fragment. - */ - osize = fragroundup(fs, blkoff(fs, ip->i_size)); - nsize = fragroundup(fs, size); - if (nsize <= osize) { - error = bread(vp, lbn, osize, NOCRED, &bp); - if (error) { - brelse(bp); - return (error); - } - bp->b_blkno = fsbtodb(fs, nb); - } else { - /* - * Godmar thinks: this shouldn't happen w/o - * fragments - */ - printf("nsize %d(%d) > osize %d(%d) nb %d\n", - (int)nsize, (int)size, (int)osize, - (int)ip->i_size, (int)nb); - panic( - "ext2_balloc: Something is terribly wrong"); -/* - * please note there haven't been any changes from here on - - * FFS seems to work. - */ + if (ip->i_size >= (lbn + 1) * fs->e2fs_bsize) { + *bpp = bp; + return (0); } } else { - if (ip->i_size < (lbn + 1) * fs->e2fs_bsize) - nsize = fragroundup(fs, size); - else - nsize = fs->e2fs_bsize; EXT2_LOCK(ump); error = ext2_alloc(ip, lbn, ext2_blkpref(ip, lbn, (int)lbn, &ip->i_db[0], 0), - nsize, cred, &newb); + fs->e2fs_bsize, cred, &newb); if (error) return (error); /* @@ -219,7 +163,7 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size */ if (newb > UINT_MAX) return (EFBIG); - bp = getblk(vp, lbn, nsize, 0, 0, 0); + bp = getblk(vp, lbn, fs->e2fs_bsize, 0, 0, 0); bp->b_blkno = fsbtodb(fs, newb); if (flags & BA_CLRBUF) vfs_bio_clrbuf(bp); @@ -308,7 +252,6 @@ ext2_balloc(struct inode *ip, e2fs_lbn_t lbn, int size */ if ((error = bwrite(nbp)) != 0) { ext2_blkfree(ip, nb, fs->e2fs_bsize); - EXT2_UNLOCK(ump); brelse(bp); return (error); }