mirror of
				https://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson
				synced 2025-10-25 23:06:18 +00:00 
			
		
		
		
	 f44ec6f3f8
			
		
	
	
		f44ec6f3f8
		
	
	
	
	
		
			
			This attempts to address CVE-2006-6058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html Essentially a corrupted minix dir inode reporting a very large i_size will loop for a very long time in minix_readdir, minix_find_entry, etc, because on EIO they just move on to try the next page. This is under the BKL, printk-storming as well. This can lock up the machine for a very long time. Simply ratelimiting the printks gets things back under control. Make the message a bit more informative while we're here. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Cc: Bodo Eggert <7eggert@gmx.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		
			
				
	
	
		
			73 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			73 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| #include <linux/buffer_head.h>
 | |
| #include "minix.h"
 | |
| 
 | |
| enum {DIRECT = 7, DEPTH = 4};	/* Have triple indirect */
 | |
| 
 | |
| typedef u32 block_t;	/* 32 bit, host order */
 | |
| 
 | |
| static inline unsigned long block_to_cpu(block_t n)
 | |
| {
 | |
| 	return n;
 | |
| }
 | |
| 
 | |
| static inline block_t cpu_to_block(unsigned long n)
 | |
| {
 | |
| 	return n;
 | |
| }
 | |
| 
 | |
| static inline block_t *i_data(struct inode *inode)
 | |
| {
 | |
| 	return (block_t *)minix_i(inode)->u.i2_data;
 | |
| }
 | |
| 
 | |
| static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 | |
| {
 | |
| 	int n = 0;
 | |
| 	char b[BDEVNAME_SIZE];
 | |
| 	struct super_block *sb = inode->i_sb;
 | |
| 
 | |
| 	if (block < 0) {
 | |
| 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
 | |
| 			block, bdevname(sb->s_bdev, b));
 | |
| 	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/sb->s_blocksize)) {
 | |
| 		if (printk_ratelimit())
 | |
| 			printk("MINIX-fs: block_to_path: "
 | |
| 			       "block %ld too big on dev %s\n",
 | |
| 				block, bdevname(sb->s_bdev, b));
 | |
| 	} else if (block < 7) {
 | |
| 		offsets[n++] = block;
 | |
| 	} else if ((block -= 7) < 256) {
 | |
| 		offsets[n++] = 7;
 | |
| 		offsets[n++] = block;
 | |
| 	} else if ((block -= 256) < 256*256) {
 | |
| 		offsets[n++] = 8;
 | |
| 		offsets[n++] = block>>8;
 | |
| 		offsets[n++] = block & 255;
 | |
| 	} else {
 | |
| 		block -= 256*256;
 | |
| 		offsets[n++] = 9;
 | |
| 		offsets[n++] = block>>16;
 | |
| 		offsets[n++] = (block>>8) & 255;
 | |
| 		offsets[n++] = block & 255;
 | |
| 	}
 | |
| 	return n;
 | |
| }
 | |
| 
 | |
| #include "itree_common.c"
 | |
| 
 | |
| int V2_minix_get_block(struct inode * inode, long block,
 | |
| 			struct buffer_head *bh_result, int create)
 | |
| {
 | |
| 	return get_block(inode, block, bh_result, create);
 | |
| }
 | |
| 
 | |
| void V2_minix_truncate(struct inode * inode)
 | |
| {
 | |
| 	truncate(inode);
 | |
| }
 | |
| 
 | |
| unsigned V2_minix_blocks(loff_t size, struct super_block *sb)
 | |
| {
 | |
| 	return nblocks(size, sb);
 | |
| }
 |