From: Young Xiao <92siuyang@gmail.com>
To: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com,
linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Young Xiao <92siuyang@gmail.com>
Subject: [PATCH] btrfs: fix out of bounds array access while reading extent buffer
Date: Fri, 14 Jun 2019 19:51:49 +0800 [thread overview]
Message-ID: <1560513109-2568-1-git-send-email-92siuyang@gmail.com> (raw)
There is a corner case that slips through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len), then:
the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
both are OK in this corner case, but it'd actually try to access the eb->pages
out of bounds because of (start + len > eb->len).
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.
See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
reading extent buffer") for details.
Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
fs/btrfs/extent_io.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index db337e5..dcf3b2e 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
@@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(ptr, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
--
2.7.4
next reply other threads:[~2019-06-14 11:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 11:51 Young Xiao [this message]
2019-06-14 13:52 ` [PATCH] btrfs: fix out of bounds array access while reading extent buffer Qu Wenruo
-- strict thread matches above, loose matches on Subject: below --
2017-08-07 19:39 [PATCH] Btrfs: " Liu Bo
2017-08-08 8:47 ` Filipe Manana
2017-08-08 17:05 ` Liu Bo
2017-08-09 15:03 ` Filipe Manana
2017-08-11 21:26 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1560513109-2568-1-git-send-email-92siuyang@gmail.com \
--to=92siuyang@gmail.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).