From: Qu Wenruo <wqu@suse.com>
To: u-boot@lists.denx.de
Cc: marek.behun@nic.cz, linux-btrfs@vger.kernel.org,
jnhuang95@gmail.com, linux-erofs@lists.ozlabs.org,
trini@konsulko.com, joaomarcos.costa@bootlin.com,
thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com
Subject: [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size
Date: Tue, 26 Jul 2022 13:22:11 +0800 [thread overview]
Message-ID: <c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com> (raw)
In-Reply-To: <cover.1658812744.git.wqu@suse.com>
[BUG]
When try to read a range beyond file size, btrfs driver will cause
crash/segfault:
=> load host 0 $kernel_addr_r 5k_file 0 0x2000
SEGFAULT
[CAUSE]
In btrfs_read(), if @len is 0, we will truncated it to file end, but if
file end is beyond our file size, this truncation will underflow @len,
making it -3K in this case.
And later that @len is used to memzero the output buffer, resulting
above crash.
[FIX]
Just error out if @offset is already beyond our file size.
Now it will fail properly with correct error message:
=> load host 0 $kernel_addr_r 5m_origin 0 0x2000
BTRFS: Read range beyond file size, offset 8192 file size 5120
Failed to load '5m_origin'
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/btrfs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/btrfs/btrfs.c b/fs/btrfs/btrfs.c
index 9145727058d4..bf9e1f2f17cf 100644
--- a/fs/btrfs/btrfs.c
+++ b/fs/btrfs/btrfs.c
@@ -252,6 +252,12 @@ int btrfs_read(const char *file, void *buf, loff_t offset, loff_t len,
return ret;
}
+ if (offset >= real_size) {
+ error("Read range beyond file size, offset %llu file size %llu",
+ offset, real_size);
+ return -EINVAL;
+ }
+
/*
* If the length is 0 (meaning read the whole file) or the range is
* beyond file size, truncate it to the end of the file.
--
2.37.0
WARNING: multiple messages have this Message-ID (diff)
From: Qu Wenruo via Linux-erofs <linux-erofs@lists.ozlabs.org>
To: u-boot@lists.denx.de
Cc: trini@konsulko.com, joaomarcos.costa@bootlin.com,
marek.behun@nic.cz, thomas.petazzoni@bootlin.com,
miquel.raynal@bootlin.com, linux-erofs@lists.ozlabs.org,
linux-btrfs@vger.kernel.org
Subject: [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size
Date: Tue, 26 Jul 2022 13:22:11 +0800 [thread overview]
Message-ID: <c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com> (raw)
In-Reply-To: <cover.1658812744.git.wqu@suse.com>
[BUG]
When try to read a range beyond file size, btrfs driver will cause
crash/segfault:
=> load host 0 $kernel_addr_r 5k_file 0 0x2000
SEGFAULT
[CAUSE]
In btrfs_read(), if @len is 0, we will truncated it to file end, but if
file end is beyond our file size, this truncation will underflow @len,
making it -3K in this case.
And later that @len is used to memzero the output buffer, resulting
above crash.
[FIX]
Just error out if @offset is already beyond our file size.
Now it will fail properly with correct error message:
=> load host 0 $kernel_addr_r 5m_origin 0 0x2000
BTRFS: Read range beyond file size, offset 8192 file size 5120
Failed to load '5m_origin'
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/btrfs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/btrfs/btrfs.c b/fs/btrfs/btrfs.c
index 9145727058d4..bf9e1f2f17cf 100644
--- a/fs/btrfs/btrfs.c
+++ b/fs/btrfs/btrfs.c
@@ -252,6 +252,12 @@ int btrfs_read(const char *file, void *buf, loff_t offset, loff_t len,
return ret;
}
+ if (offset >= real_size) {
+ error("Read range beyond file size, offset %llu file size %llu",
+ offset, real_size);
+ return -EINVAL;
+ }
+
/*
* If the length is 0 (meaning read the whole file) or the range is
* beyond file size, truncate it to the end of the file.
--
2.37.0
next prev parent reply other threads:[~2022-07-26 5:22 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 5:22 [PATCH v2 0/8] U-boot: fs: add generic unaligned read offset handling Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 1/8] fs: fat: unexport file_fat_read_at() Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-08-05 21:14 ` Tom Rini
2022-08-05 21:14 ` Tom Rini
2022-08-05 22:44 ` Qu Wenruo
2022-08-05 22:44 ` Qu Wenruo
2022-08-06 2:44 ` Tom Rini
2022-08-06 2:44 ` Tom Rini
2022-07-26 5:22 ` [PATCH v2 2/8] fs: btrfs: fix a bug which no data get read if the length is not 0 Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` Qu Wenruo [this message]
2022-07-26 5:22 ` [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 4/8] fs: btrfs: move the unaligned read code to _fs_read() for btrfs Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 5/8] fs: ext4: rely on _fs_read() to handle leading unaligned block read Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 6/8] fs: fat: rely on higher layer to get block aligned read range Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 7/8] fs: ubifs: rely on higher layer to do unaligned read Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
2022-07-26 5:22 ` [PATCH v2 8/8] fs: erofs: add unaligned read range handling Qu Wenruo
2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com \
--to=wqu@suse.com \
--cc=jnhuang95@gmail.com \
--cc=joaomarcos.costa@bootlin.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-erofs@lists.ozlabs.org \
--cc=marek.behun@nic.cz \
--cc=miquel.raynal@bootlin.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.