quota: Add more checking after reading from quota file

It would be better to do more sanity checking (eg. dqdh_entries,
block no.) for the content read from quota file, which can prevent
corrupting the quota file.

Link: https://lore.kernel.org/r/20220923134555.2623931-4-chengzhihao1@huawei.com
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
index 0fa73ca280455a02295f29d56dd63c66653b9b4e..0f1493e0f6d059b37032af363f5898415be6d79f 100644 (file)
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -96,6 +96,11 @@ static int check_dquot_block_header(struct qtree_mem_dqinfo *info,
        err = do_check_range(info->dqi_sb, "dqdh_prev_free",
                             le32_to_cpu(dh->dqdh_prev_free), 0,
                             info->dqi_blocks - 1);
+       if (err)
+               return err;
+       err = do_check_range(info->dqi_sb, "dqdh_entries",
+                            le16_to_cpu(dh->dqdh_entries), 0,
+                            qtree_dqstr_in_blk(info));
 
        return err;
 }
@@ -348,6 +353,10 @@ static int do_insert_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot,
        }
        ref = (__le32 *)buf;
        newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]);
+       ret = do_check_range(dquot->dq_sb, "block", newblk, 0,
+                            info->dqi_blocks - 1);
+       if (ret)
+               goto out_buf;
        if (!newblk)
                newson = 1;
        if (depth == info->dqi_qtree_depth - 1) {
@@ -739,15 +748,21 @@ static int find_next_id(struct qtree_mem_dqinfo *info, qid_t *id,
                goto out_buf;
        }
        for (i = __get_index(info, *id, depth); i < epb; i++) {
-               if (ref[i] == cpu_to_le32(0)) {
+               uint blk_no = le32_to_cpu(ref[i]);
+
+               if (blk_no == 0) {
                        *id += level_inc;
                        continue;
                }
+               ret = do_check_range(info->dqi_sb, "block", blk_no, 0,
+                                    info->dqi_blocks - 1);
+               if (ret)
+                       goto out_buf;
                if (depth == info->dqi_qtree_depth - 1) {
                        ret = 0;
                        goto out_buf;
                }
-               ret = find_next_id(info, id, le32_to_cpu(ref[i]), depth + 1);
+               ret = find_next_id(info, id, blk_no, depth + 1);
                if (ret != -ENOENT)
                        break;
        }