[Devel] [PATCH RHEL8 COMMIT] ploop: Add sanity check BAT does not refer beyond EOF

Konstantin Khorenko khorenko at virtuozzo.com
Fri Aug 13 15:41:25 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-305.3.1.vz8.7.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-305.3.1.vz8.7.6
------>
commit 373d966bbd343858b9e0ba47ad85f41ba7e9f65f
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date:   Fri Aug 13 15:41:25 2021 +0300

    ploop: Add sanity check BAT does not refer beyond EOF
    
    Check that during metadata read.
    
    https://jira.sw.ru/browse/PSBM-132481
    Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 drivers/md/dm-ploop-bat.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/md/dm-ploop-bat.c b/drivers/md/dm-ploop-bat.c
index e4e10df685a2..f2a2d35818b8 100644
--- a/drivers/md/dm-ploop-bat.c
+++ b/drivers/md/dm-ploop-bat.c
@@ -346,15 +346,16 @@ static int ploop_delta_check_header(struct ploop *ploop,
 }
 
 static int convert_bat_entries(struct ploop *ploop, struct rb_root *md_root,
-			       u32 nr_be, u32 nr_pages)
+			       u32 nr_be, u32 nr_pages, loff_t file_size)
 {
-	u32 i, end, bytes, bat_clusters, page_id, *bat_entries;
+	u32 i, end, bytes, bat_clusters, page_id, *bat_entries, max_file_clu;
 	struct rb_node *node;
 	struct md_page *md;
 	int ret = 0;
 
 	bytes = (PLOOP_MAP_OFFSET + nr_be) * sizeof(map_index_t);
 	bat_clusters = DIV_ROUND_UP(bytes, CLU_SIZE(ploop));
+	max_file_clu = file_size / CLU_SIZE(ploop) - 1;
 
 	page_id = 0;
 	rb_root_for_each_md_page(md_root, md, node) {
@@ -364,7 +365,7 @@ static int convert_bat_entries(struct ploop *ploop, struct rb_root *md_root,
 		page_id++;
 
 		for (; i <= end; i++) {
-			if (bat_entries[i] == BAT_ENTRY_NONE)
+			if (bat_entries[i] > max_file_clu)
 				ret = -EPROTO;
 			if (!bat_entries[i])
 				bat_entries[i] = BAT_ENTRY_NONE;
@@ -385,11 +386,11 @@ int ploop_read_delta_metadata(struct ploop *ploop, struct file *file,
 {
 	struct bio_vec bvec_on_stack, *bvec = &bvec_on_stack;
 	u32 i, size, delta_nr_be, nr_segs;
+	loff_t pos, file_size;
 	struct iov_iter iter;
 	struct rb_node *node;
 	struct md_page *md;
 	ssize_t len;
-	loff_t pos;
 	int ret;
 
 	ret = -ENOMEM;
@@ -444,7 +445,9 @@ int ploop_read_delta_metadata(struct ploop *ploop, struct file *file,
 		goto out;
 	}
 
-	ret = convert_bat_entries(ploop, md_root, delta_nr_be, nr_segs);
+	file_size = i_size_read(file->f_mapping->host);
+
+	ret = convert_bat_entries(ploop, md_root, delta_nr_be, nr_segs, file_size);
 
 	*delta_nr_be_ret = delta_nr_be;
 out:

More information about the Devel mailing list