Commit c12900a4 authored by Thadeu Lima de Souza Cascardo's avatar Thadeu Lima de Souza Cascardo Committed by Baokun Li
Browse files

ext4: ext4_search_dir should return a proper error 

mainline inclusion
from mainline-v6.12-rc1
commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK6
CVE: CVE-2024-47701

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd69f8f9de280e331c9e6ff689ced0a688a9ce8f



--------------------------------

ext4_search_dir currently returns -1 in case of a failure, while it returns
0 when the name is not found. In such failure cases, it should return an
error code instead.

This becomes even more important when ext4_find_inline_entry returns an
error code as well in the next commit.

-EFSCORRUPTED seems appropriate as such error code as these failures would
be caused by unexpected record lengths and is in line with other instances
of ext4_check_dir_entry failures.

In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was
left as is to reduce the risk of regressions.

Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@igalia.com>
Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com


Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarBaokun Li <libaokun1@huawei.com>
parent 93af945a

fs/ext4/namei.c

+7 −5
Original line number Diff line number Diff line
@@ -1526,7 +1526,7 @@ static bool ext4_match(struct inode *parent, 
}



/*

 * Returns 0 if not found, -1 on failure, and 1 on success

 * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success

 */

int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,

		    struct inode *dir, struct ext4_filename *fname,
@@ -1547,7 +1547,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, 
			 * a full check */

			if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf,

						 buf_size, offset))

				return -1;

				return -EFSCORRUPTED;

			*res_dir = de;

			return 1;

		}
@@ -1555,7 +1555,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, 
		de_len = ext4_rec_len_from_disk(de->rec_len,

						dir->i_sb->s_blocksize);

		if (de_len <= 0)

			return -1;

			return -EFSCORRUPTED;

		offset += de_len;

		de = (struct ext4_dir_entry_2 *) ((char *) de + de_len);

	}
@@ -1707,9 +1707,11 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, 
			goto cleanup_and_exit;

		} else {

			brelse(bh);

			if (i < 0)

			if (i < 0) {

				ret = ERR_PTR(i);

				goto cleanup_and_exit;

			}

		}

	next:

		if (++block >= nblocks)

			block = 0;
@@ -1803,7 +1805,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, 
		if (retval == 1)

			goto success;

		brelse(bh);

		if (retval == -1) {

		if (retval < 0) {

			bh = ERR_PTR(ERR_BAD_DX_DIR);

			goto errout;

		}