mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-18 22:14:16 +00:00 
			
		
		
		
	 587065dcac
			
		
	
	
		587065dcac
		
	
	
	
	
		
			
			This code accidentally returns success, but it should return the
-EIO error code from adfs_fplus_validate_header().
Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
Fixes: d79288b4f6 ("fs/adfs: bigdir: calculate and validate directory checkbyte")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
		
	
			
		
			
				
	
	
		
			287 lines
		
	
	
	
		
			7.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			287 lines
		
	
	
	
		
			7.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0-only
 | |
| /*
 | |
|  *  linux/fs/adfs/dir_fplus.c
 | |
|  *
 | |
|  *  Copyright (C) 1997-1999 Russell King
 | |
|  */
 | |
| #include "adfs.h"
 | |
| #include "dir_fplus.h"
 | |
| 
 | |
| /* Return the byte offset to directory entry pos */
 | |
| static unsigned int adfs_fplus_offset(const struct adfs_bigdirheader *h,
 | |
| 				      unsigned int pos)
 | |
| {
 | |
| 	return offsetof(struct adfs_bigdirheader, bigdirname) +
 | |
| 	       ALIGN(le32_to_cpu(h->bigdirnamelen), 4) +
 | |
| 	       pos * sizeof(struct adfs_bigdirentry);
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_validate_header(const struct adfs_bigdirheader *h)
 | |
| {
 | |
| 	unsigned int size = le32_to_cpu(h->bigdirsize);
 | |
| 	unsigned int len;
 | |
| 
 | |
| 	if (h->bigdirversion[0] != 0 || h->bigdirversion[1] != 0 ||
 | |
| 	    h->bigdirversion[2] != 0 ||
 | |
| 	    h->bigdirstartname != cpu_to_le32(BIGDIRSTARTNAME) ||
 | |
| 	    !size || size & 2047 || size > SZ_4M)
 | |
| 		return -EIO;
 | |
| 
 | |
| 	size -= sizeof(struct adfs_bigdirtail) +
 | |
| 		offsetof(struct adfs_bigdirheader, bigdirname);
 | |
| 
 | |
| 	/* Check that bigdirnamelen fits within the directory */
 | |
| 	len = ALIGN(le32_to_cpu(h->bigdirnamelen), 4);
 | |
| 	if (len > size)
 | |
| 		return -EIO;
 | |
| 
 | |
| 	size -= len;
 | |
| 
 | |
| 	/* Check that bigdirnamesize fits within the directory */
 | |
| 	len = le32_to_cpu(h->bigdirnamesize);
 | |
| 	if (len > size)
 | |
| 		return -EIO;
 | |
| 
 | |
| 	size -= len;
 | |
| 
 | |
| 	/*
 | |
| 	 * Avoid division, we know that absolute maximum number of entries
 | |
| 	 * can not be so large to cause overflow of the multiplication below.
 | |
| 	 */
 | |
| 	len = le32_to_cpu(h->bigdirentries);
 | |
| 	if (len > SZ_4M / sizeof(struct adfs_bigdirentry) ||
 | |
| 	    len * sizeof(struct adfs_bigdirentry) > size)
 | |
| 		return -EIO;
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_validate_tail(const struct adfs_bigdirheader *h,
 | |
| 				    const struct adfs_bigdirtail *t)
 | |
| {
 | |
| 	if (t->bigdirendname != cpu_to_le32(BIGDIRENDNAME) ||
 | |
| 	    t->bigdirendmasseq != h->startmasseq ||
 | |
| 	    t->reserved[0] != 0 || t->reserved[1] != 0)
 | |
| 		return -EIO;
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static u8 adfs_fplus_checkbyte(struct adfs_dir *dir)
 | |
| {
 | |
| 	struct adfs_bigdirheader *h = dir->bighead;
 | |
| 	struct adfs_bigdirtail *t = dir->bigtail;
 | |
| 	unsigned int end, bs, bi, i;
 | |
| 	__le32 *bp;
 | |
| 	u32 dircheck;
 | |
| 
 | |
| 	end = adfs_fplus_offset(h, le32_to_cpu(h->bigdirentries)) +
 | |
| 		le32_to_cpu(h->bigdirnamesize);
 | |
| 
 | |
| 	/* Accumulate the contents of the header, entries and names */
 | |
| 	for (dircheck = 0, bi = 0; end; bi++) {
 | |
| 		bp = (void *)dir->bhs[bi]->b_data;
 | |
| 		bs = dir->bhs[bi]->b_size;
 | |
| 		if (bs > end)
 | |
| 			bs = end;
 | |
| 
 | |
| 		for (i = 0; i < bs; i += sizeof(u32))
 | |
| 			dircheck = ror32(dircheck, 13) ^ le32_to_cpup(bp++);
 | |
| 
 | |
| 		end -= bs;
 | |
| 	}
 | |
| 
 | |
| 	/* Accumulate the contents of the tail except for the check byte */
 | |
| 	dircheck = ror32(dircheck, 13) ^ le32_to_cpu(t->bigdirendname);
 | |
| 	dircheck = ror32(dircheck, 13) ^ t->bigdirendmasseq;
 | |
| 	dircheck = ror32(dircheck, 13) ^ t->reserved[0];
 | |
| 	dircheck = ror32(dircheck, 13) ^ t->reserved[1];
 | |
| 
 | |
| 	return dircheck ^ dircheck >> 8 ^ dircheck >> 16 ^ dircheck >> 24;
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_read(struct super_block *sb, u32 indaddr,
 | |
| 			   unsigned int size, struct adfs_dir *dir)
 | |
| {
 | |
| 	struct adfs_bigdirheader *h;
 | |
| 	struct adfs_bigdirtail *t;
 | |
| 	unsigned int dirsize;
 | |
| 	int ret;
 | |
| 
 | |
| 	/* Read first buffer */
 | |
| 	ret = adfs_dir_read_buffers(sb, indaddr, sb->s_blocksize, dir);
 | |
| 	if (ret)
 | |
| 		return ret;
 | |
| 
 | |
| 	dir->bighead = h = (void *)dir->bhs[0]->b_data;
 | |
| 	ret = adfs_fplus_validate_header(h);
 | |
| 	if (ret) {
 | |
| 		adfs_error(sb, "dir %06x has malformed header", indaddr);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	dirsize = le32_to_cpu(h->bigdirsize);
 | |
| 	if (size && dirsize != size) {
 | |
| 		adfs_msg(sb, KERN_WARNING,
 | |
| 			 "dir %06x header size %X does not match directory size %X",
 | |
| 			 indaddr, dirsize, size);
 | |
| 	}
 | |
| 
 | |
| 	/* Read remaining buffers */
 | |
| 	ret = adfs_dir_read_buffers(sb, indaddr, dirsize, dir);
 | |
| 	if (ret)
 | |
| 		return ret;
 | |
| 
 | |
| 	dir->bigtail = t = (struct adfs_bigdirtail *)
 | |
| 		(dir->bhs[dir->nr_buffers - 1]->b_data + (sb->s_blocksize - 8));
 | |
| 
 | |
| 	ret = adfs_fplus_validate_tail(h, t);
 | |
| 	if (ret) {
 | |
| 		adfs_error(sb, "dir %06x has malformed tail", indaddr);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	if (adfs_fplus_checkbyte(dir) != t->bigdircheckbyte) {
 | |
| 		adfs_error(sb, "dir %06x checkbyte mismatch\n", indaddr);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	dir->parent_id = le32_to_cpu(h->bigdirparent);
 | |
| 	return 0;
 | |
| 
 | |
| out:
 | |
| 	adfs_dir_relse(dir);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| static int
 | |
| adfs_fplus_setpos(struct adfs_dir *dir, unsigned int fpos)
 | |
| {
 | |
| 	int ret = -ENOENT;
 | |
| 
 | |
| 	if (fpos <= le32_to_cpu(dir->bighead->bigdirentries)) {
 | |
| 		dir->pos = fpos;
 | |
| 		ret = 0;
 | |
| 	}
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| static int
 | |
| adfs_fplus_getnext(struct adfs_dir *dir, struct object_info *obj)
 | |
| {
 | |
| 	struct adfs_bigdirheader *h = dir->bighead;
 | |
| 	struct adfs_bigdirentry bde;
 | |
| 	unsigned int offset;
 | |
| 	int ret;
 | |
| 
 | |
| 	if (dir->pos >= le32_to_cpu(h->bigdirentries))
 | |
| 		return -ENOENT;
 | |
| 
 | |
| 	offset = adfs_fplus_offset(h, dir->pos);
 | |
| 
 | |
| 	ret = adfs_dir_copyfrom(&bde, dir, offset,
 | |
| 				sizeof(struct adfs_bigdirentry));
 | |
| 	if (ret)
 | |
| 		return ret;
 | |
| 
 | |
| 	obj->loadaddr = le32_to_cpu(bde.bigdirload);
 | |
| 	obj->execaddr = le32_to_cpu(bde.bigdirexec);
 | |
| 	obj->size     = le32_to_cpu(bde.bigdirlen);
 | |
| 	obj->indaddr  = le32_to_cpu(bde.bigdirindaddr);
 | |
| 	obj->attr     = le32_to_cpu(bde.bigdirattr);
 | |
| 	obj->name_len = le32_to_cpu(bde.bigdirobnamelen);
 | |
| 
 | |
| 	offset = adfs_fplus_offset(h, le32_to_cpu(h->bigdirentries));
 | |
| 	offset += le32_to_cpu(bde.bigdirobnameptr);
 | |
| 
 | |
| 	ret = adfs_dir_copyfrom(obj->name, dir, offset, obj->name_len);
 | |
| 	if (ret)
 | |
| 		return ret;
 | |
| 
 | |
| 	adfs_object_fixup(dir, obj);
 | |
| 
 | |
| 	dir->pos += 1;
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_iterate(struct adfs_dir *dir, struct dir_context *ctx)
 | |
| {
 | |
| 	struct object_info obj;
 | |
| 
 | |
| 	if ((ctx->pos - 2) >> 32)
 | |
| 		return 0;
 | |
| 
 | |
| 	if (adfs_fplus_setpos(dir, ctx->pos - 2))
 | |
| 		return 0;
 | |
| 
 | |
| 	while (!adfs_fplus_getnext(dir, &obj)) {
 | |
| 		if (!dir_emit(ctx, obj.name, obj.name_len,
 | |
| 			      obj.indaddr, DT_UNKNOWN))
 | |
| 			break;
 | |
| 		ctx->pos++;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_update(struct adfs_dir *dir, struct object_info *obj)
 | |
| {
 | |
| 	struct adfs_bigdirheader *h = dir->bighead;
 | |
| 	struct adfs_bigdirentry bde;
 | |
| 	int offset, end, ret;
 | |
| 
 | |
| 	offset = adfs_fplus_offset(h, 0) - sizeof(bde);
 | |
| 	end = adfs_fplus_offset(h, le32_to_cpu(h->bigdirentries));
 | |
| 
 | |
| 	do {
 | |
| 		offset += sizeof(bde);
 | |
| 		if (offset >= end) {
 | |
| 			adfs_error(dir->sb, "unable to locate entry to update");
 | |
| 			return -ENOENT;
 | |
| 		}
 | |
| 		ret = adfs_dir_copyfrom(&bde, dir, offset, sizeof(bde));
 | |
| 		if (ret) {
 | |
| 			adfs_error(dir->sb, "error reading directory entry");
 | |
| 			return -ENOENT;
 | |
| 		}
 | |
| 	} while (le32_to_cpu(bde.bigdirindaddr) != obj->indaddr);
 | |
| 
 | |
| 	bde.bigdirload    = cpu_to_le32(obj->loadaddr);
 | |
| 	bde.bigdirexec    = cpu_to_le32(obj->execaddr);
 | |
| 	bde.bigdirlen     = cpu_to_le32(obj->size);
 | |
| 	bde.bigdirindaddr = cpu_to_le32(obj->indaddr);
 | |
| 	bde.bigdirattr    = cpu_to_le32(obj->attr);
 | |
| 
 | |
| 	return adfs_dir_copyto(dir, offset, &bde, sizeof(bde));
 | |
| }
 | |
| 
 | |
| static int adfs_fplus_commit(struct adfs_dir *dir)
 | |
| {
 | |
| 	int ret;
 | |
| 
 | |
| 	/* Increment directory sequence number */
 | |
| 	dir->bighead->startmasseq += 1;
 | |
| 	dir->bigtail->bigdirendmasseq += 1;
 | |
| 
 | |
| 	/* Update directory check byte */
 | |
| 	dir->bigtail->bigdircheckbyte = adfs_fplus_checkbyte(dir);
 | |
| 
 | |
| 	/* Make sure the directory still validates correctly */
 | |
| 	ret = adfs_fplus_validate_header(dir->bighead);
 | |
| 	if (ret == 0)
 | |
| 		ret = adfs_fplus_validate_tail(dir->bighead, dir->bigtail);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| const struct adfs_dir_ops adfs_fplus_dir_ops = {
 | |
| 	.read		= adfs_fplus_read,
 | |
| 	.iterate	= adfs_fplus_iterate,
 | |
| 	.setpos		= adfs_fplus_setpos,
 | |
| 	.getnext	= adfs_fplus_getnext,
 | |
| 	.update		= adfs_fplus_update,
 | |
| 	.commit		= adfs_fplus_commit,
 | |
| };
 |