/* * netsniff-ng - the packet sniffing beast * Copyright 2011 - 2013 Daniel Borkmann. * Subject to the GPL, version 2. */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include "pcap_io.h" #include "built_in.h" #include "ioops.h" #include "iosched.h" static size_t map_size = 0; static char *ptr_va_start, *ptr_va_curr; static void __pcap_mmap_write_need_remap(int fd) { int ret; off_t pos, map_size_old = map_size; off_t offset = ptr_va_curr - ptr_va_start; map_size = PAGE_ALIGN(map_size_old * 10 / 8); pos = lseek(fd, map_size, SEEK_SET); if (pos < 0) panic("Cannot lseek pcap file!\n"); ret = write_or_die(fd, "", 1); if (ret != 1) panic("Cannot write file!\n"); ptr_va_start = mremap(ptr_va_start, map_size_old, map_size, MREMAP_MAYMOVE); if (ptr_va_start == MAP_FAILED) panic("mmap of file failed!"); ret = madvise(ptr_va_start, map_size, MADV_SEQUENTIAL); if (ret < 0) panic("Failed to give kernel mmap advise!\n"); ptr_va_curr = ptr_va_start + offset; } static ssize_t pcap_mm_write(int fd, pcap_pkthdr_t *phdr, enum pcap_type type, const uint8_t *packet, size_t len) { size_t hdrsize = pcap_get_hdr_length(phdr, type); if ((off_t) (ptr_va_curr - ptr_va_start) + hdrsize + len > map_size) __pcap_mmap_write_need_remap(fd); fmemcpy(ptr_va_curr, &phdr->raw, hdrsize); ptr_va_curr += hdrsize; fmemcpy(ptr_va_curr, packet, len); ptr_va_curr += len; return hdrsize + len; } static ssize_t pcap_mm_read(int fd, pcap_pkthdr_t *phdr, enum pcap_type type, uint8_t *packet, size_t len) { size_t hdrsize = pcap_get_hdr_length(phdr, type), hdrlen; if (unlikely((off_t) (ptr_va_curr + hdrsize - ptr_va_start) > map_size)) return -EIO; fmemcpy(&phdr->raw, ptr_va_curr, hdrsize); ptr_va_curr += hdrsize; hdrlen = pcap_get_length(phdr, type); if (unlikely((off_t) (ptr_va_curr + hdrlen - ptr_va_start) > map_size)) return -EIO; if (unlikely(hdrlen == 0 || hdrlen > len)) return -EINVAL; fmemcpy(packet, ptr_va_curr, hdrlen); ptr_va_curr += hdrlen; return hdrsize + hdrlen; } static inline off_t ____get_map_size(bool jumbo) { int allocsz = jumbo ? 16 : 3; return PAGE_ALIGN(sizeof(struct pcap_filehdr) + (PAGE_SIZE * allocsz) * 1024); } static void __pcap_mm_prepare_access_wr(int fd, bool jumbo) { int ret; off_t pos; struct stat sb; map_size = ____get_map_size(jumbo); ret = fstat(fd, &sb); if (ret < 0) panic("Cannot fstat pcap file!\n"); if (!S_ISREG (sb.st_mode)) panic("pcap dump file is not a regular file!\n"); pos = lseek(fd, map_size, SEEK_SET); if (pos < 0) panic("Cannot lseek pcap file!\n"); ret = write_or_die(fd, "", 1); if (ret != 1) panic("Cannot write file!\n"); ptr_va_start = mmap(0, map_size, PROT_WRITE, MAP_SHARED, fd, 0); if (ptr_va_start == MAP_FAILED) panic("mmap of file failed!"); ret = madvise(ptr_va_start, map_size, MADV_SEQUENTIAL); if (ret < 0) panic("Failed to give kernel mmap advise!\n"); ptr_va_curr = ptr_va_start + sizeof(struct pcap_filehdr); } static void __pcap_mm_prepare_access_rd(int fd) { int ret; struct stat sb; ret = fstat(fd, &sb); if (ret < 0) panic("Cannot fstat pcap file!\n"); if (!S_ISREG (sb.st_mode)) panic("pcap dump file is not a regular file!\n"); map_size = sb.st_size; ptr_va_start = mmap(0, map_size, PROT_READ, MAP_SHARED | MAP_LOCKED, fd, 0); if (ptr_va_start == MAP_FAILED) panic("mmap of file failed!"); ret = madvise(ptr_va_start, map_size, MADV_SEQUENTIAL); if (ret < 0) panic("Failed to give kernel mmap advise!\n"); ptr_va_curr = ptr_va_start + sizeof(struct pcap_filehdr); } static void pcap_mm_init_once(void) { set_ioprio_be(); } static int pcap_mm_prepare_access(int fd, enum pcap_mode mode, bool jumbo) { switch (mode) { case PCAP_MODE_RD: __pcap_mm_prepare_access_rd(fd); break; case PCAP_MODE_WR: __pcap_mm_prepare_access_wr(fd, jumbo); break; default: bug(); } return 0; } static void pcap_mm_fsync(int fd) { msync(ptr_va_start, (off_t) (ptr_va_curr - ptr_va_start), MS_ASYNC); } static void pcap_mm_prepare_close(int fd, enum pcap_mode mode) { int ret; ret = munmap(ptr_va_start, map_size); if (ret < 0) panic("Cannot unmap the pcap file!\n"); if (mode == PCAP_MODE_WR) { ret = ftruncate(fd, (off_t) (ptr_va_curr - ptr_va_start)); if (ret) panic("Cannot truncate the pcap file!\n"); } } const struct pcap_file_ops pcap_mm_ops = { .init_once_pcap = pcap_mm_init_once, .pull_fhdr_pcap = pcap_generic_pull_fhdr, .push_fhdr_pcap = pcap_generic_push_fhdr, .prepare_access_pcap = pcap_mm_prepare_access, .prepare_close_pcap = pcap_mm_prepare_close, .read_pcap = pcap_mm_read, .write_pcap = pcap_mm_write, .fsync_pcap = pcap_mm_fsync, }; 6de (diff)
ext4: verify extent header depth
Although the extent tree depth of 5 should enough be for the worst case of 2*32 extents of length 1, the extent tree code does not currently to merge nodes which are less than half-full with a sibling node, or to shrink the tree depth if possible. So it's possible, at least in theory, for the tree depth to be greater than 5. However, even in the worst case, a tree depth of 32 is highly unlikely, and if the file system is maliciously corrupted, an insanely large eh_depth can cause memory allocation failures that will trigger kernel warnings (here, eh_depth = 65280): JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580 CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508 Stack: 604a8947 625badd8 0002fd09 00000000 60078643 00000000 62623910 601bf9bc 62623970 6002fc84 626239b0 900000125 Call Trace: [<6001c2dc>] show_stack+0xdc/0x1a0 [<601bf9bc>] dump_stack+0x2a/0x2e [<6002fc84>] __warn+0x114/0x140 [<6002fdff>] warn_slowpath_null+0x1f/0x30 [<60165829>] start_this_handle+0x569/0x580 [<60165d4e>] jbd2__journal_start+0x11e/0x220 [<60146690>] __ext4_journal_start_sb+0x60/0xa0 [<60120a81>] ext4_truncate+0x131/0x3a0 [<60123677>] ext4_setattr+0x757/0x840 [<600d5d0f>] notify_change+0x16f/0x2a0 [<600b2b16>] do_truncate+0x76/0xc0 [<600c3e56>] path_openat+0x806/0x1300 [<600c55c9>] do_filp_open+0x89/0xf0 [<600b4074>] do_sys_open+0x134/0x1e0 [<600b4140>] SyS_open+0x20/0x30 [<6001ea68>] handle_syscall+0x88/0x90 [<600295fd>] userspace+0x3fd/0x500 [<6001ac55>] fork_handler+0x85/0x90 ---[ end trace 08b0b88b6387a244 ]--- [ Commit message modified and the extent tree depath check changed from 5 to 32 -- tytso ] Cc: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat