Commit 0693b768 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] fs/ext[23]/xattr.c pointer arithmetic fix

From: Andreas Gruenbacher <agruen@suse.de>

64-bit pointer arithmetic bug in xattr code

The int offset is not enought to hold the difference between arbitraty
pointers on 64-bit machines.  Compute the offset of here and last inside
HDR(bh) instead.
parent d174dc06
...@@ -617,9 +617,11 @@ bad_block: ext2_error(sb, "ext2_xattr_set", ...@@ -617,9 +617,11 @@ bad_block: ext2_error(sb, "ext2_xattr_set",
goto cleanup; goto cleanup;
memcpy(header, HDR(bh), bh->b_size); memcpy(header, HDR(bh), bh->b_size);
header->h_refcount = cpu_to_le32(1); header->h_refcount = cpu_to_le32(1);
offset = (char *)header - bh->b_data;
here = ENTRY((char *)here + offset); offset = (char *)here - bh->b_data;
last = ENTRY((char *)last + offset); here = ENTRY((char *)header + offset);
offset = (char *)last - bh->b_data;
last = ENTRY((char *)header + offset);
} }
} else { } else {
/* Allocate a buffer where we construct the new block. */ /* Allocate a buffer where we construct the new block. */
......
...@@ -629,9 +629,10 @@ bad_block: ext3_error(sb, "ext3_xattr_set", ...@@ -629,9 +629,10 @@ bad_block: ext3_error(sb, "ext3_xattr_set",
goto cleanup; goto cleanup;
memcpy(header, HDR(bh), bh->b_size); memcpy(header, HDR(bh), bh->b_size);
header->h_refcount = cpu_to_le32(1); header->h_refcount = cpu_to_le32(1);
offset = (char *)header - bh->b_data; offset = (char *)here - bh->b_data;
here = ENTRY((char *)here + offset); here = ENTRY((char *)header + offset);
last = ENTRY((char *)last + offset); offset = (char *)last - bh->b_data;
last = ENTRY((char *)header + offset);
} }
} else { } else {
/* Allocate a buffer where we construct the new block. */ /* Allocate a buffer where we construct the new block. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment