[lvc-project] [PATCH v3] ocfs2: add extra consistency check to ocfs2_replay_truncate_records()

[Dmitry Antipov]

In 'ocfs2_replay_truncate_records()', check whether truncate log
length matches the one comes from the superblock parameters defined
when making a filesystem and current record index is within the valid
range, thus preventing an out-of-bounds accesses while iterating over
the log records below.

Reported-by: syzbot+4d55dad3a9e8e9f7d2b5 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
v3: bail on tl->tl_used > tl->tl_count since array indexing always uses tl->tl_used - 1
v2: adjust commit message (Heming Zhao)
---
 fs/ocfs2/alloc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 162711cc5b20..657a9becc870 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -5941,6 +5941,16 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
 
 	di = (struct ocfs2_dinode *) tl_bh->b_data;
 	tl = &di->id2.i_dealloc;
+	if (le16_to_cpu(tl->tl_count) != ocfs2_truncate_recs_per_inode(osb->sb)) {
+		status = -EINVAL;
+		mlog_errno(status);
+		goto bail;
+	}
+	if (le16_to_cpu(tl->tl_used) > le16_to_cpu(tl->tl_count)) {
+		status = -EINVAL;
+		mlog_errno(status);
+		goto bail;
+	}
 	i = le16_to_cpu(tl->tl_used) - 1;
 	while (i >= 0) {
 		handle = ocfs2_start_trans(osb, OCFS2_TRUNCATE_LOG_FLUSH_ONE_REC);
-- 
2.51.0