42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From c1f6f901b402278f3fcd08000e0579e346167ef6 Mon Sep 17 00:00:00 2001
|
|
From: "Darrick J. Wong" <darrick.wong@oracle.com>
|
|
Date: Mon, 28 Sep 2020 17:35:37 -0400
|
|
Subject: [PATCH 14/16] xfs_repair: fix error in process_sf_dir2_fixi8
|
|
|
|
The goal of process_sf_dir2_fixi8 is to convert an i8 shortform
|
|
directory into a (shorter) i4 shortform directory. It achieves this by
|
|
duplicating the old sf directory contents (as oldsfp), zeroing i8count
|
|
in the caller's directory buffer (i.e. newsfp/sfp), and reinitializing
|
|
the new directory with the old directory's entries.
|
|
|
|
Unfortunately, it copies the parent pointer from sfp (the buffer we've
|
|
already started changing), not oldsfp. This leads to directory
|
|
corruption since at that point we zeroed i8count, which means that we
|
|
save only the upper four bytes from the parent pointer entry.
|
|
|
|
This was found by fuzzing u3.sfdir3.hdr.i8count = ones in xfs/384.
|
|
|
|
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
|
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
|
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
|
|
---
|
|
repair/dir2.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/repair/dir2.c b/repair/dir2.c
|
|
index cbbce60..d0daff7 100644
|
|
--- a/repair/dir2.c
|
|
+++ b/repair/dir2.c
|
|
@@ -84,7 +84,7 @@ process_sf_dir2_fixi8(
|
|
memmove(oldsfp, newsfp, oldsize);
|
|
newsfp->count = oldsfp->count;
|
|
newsfp->i8count = 0;
|
|
- ino = libxfs_dir2_sf_get_parent_ino(sfp);
|
|
+ ino = libxfs_dir2_sf_get_parent_ino(oldsfp);
|
|
libxfs_dir2_sf_put_parent_ino(newsfp, ino);
|
|
oldsfep = xfs_dir2_sf_firstentry(oldsfp);
|
|
newsfep = xfs_dir2_sf_firstentry(newsfp);
|
|
--
|
|
1.8.3.1
|
|
|