From: Qu Wenruo <wqu@suse.com> To: u-boot@lists.denx.de Cc: marek.behun@nic.cz, linux-btrfs@vger.kernel.org, jnhuang95@gmail.com, linux-erofs@lists.ozlabs.org, trini@konsulko.com, joaomarcos.costa@bootlin.com, thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com Subject: [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size Date: Tue, 26 Jul 2022 13:22:11 +0800 [thread overview] Message-ID: <c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com> (raw) In-Reply-To: <cover.1658812744.git.wqu@suse.com> [BUG] When try to read a range beyond file size, btrfs driver will cause crash/segfault: => load host 0 $kernel_addr_r 5k_file 0 0x2000 SEGFAULT [CAUSE] In btrfs_read(), if @len is 0, we will truncated it to file end, but if file end is beyond our file size, this truncation will underflow @len, making it -3K in this case. And later that @len is used to memzero the output buffer, resulting above crash. [FIX] Just error out if @offset is already beyond our file size. Now it will fail properly with correct error message: => load host 0 $kernel_addr_r 5m_origin 0 0x2000 BTRFS: Read range beyond file size, offset 8192 file size 5120 Failed to load '5m_origin' Signed-off-by: Qu Wenruo <wqu@suse.com> --- fs/btrfs/btrfs.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/btrfs/btrfs.c b/fs/btrfs/btrfs.c index 9145727058d4..bf9e1f2f17cf 100644 --- a/fs/btrfs/btrfs.c +++ b/fs/btrfs/btrfs.c @@ -252,6 +252,12 @@ int btrfs_read(const char *file, void *buf, loff_t offset, loff_t len, return ret; } + if (offset >= real_size) { + error("Read range beyond file size, offset %llu file size %llu", + offset, real_size); + return -EINVAL; + } + /* * If the length is 0 (meaning read the whole file) or the range is * beyond file size, truncate it to the end of the file. -- 2.37.0
WARNING: multiple messages have this Message-ID (diff)
From: Qu Wenruo via Linux-erofs <linux-erofs@lists.ozlabs.org> To: u-boot@lists.denx.de Cc: trini@konsulko.com, joaomarcos.costa@bootlin.com, marek.behun@nic.cz, thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com, linux-erofs@lists.ozlabs.org, linux-btrfs@vger.kernel.org Subject: [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size Date: Tue, 26 Jul 2022 13:22:11 +0800 [thread overview] Message-ID: <c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com> (raw) In-Reply-To: <cover.1658812744.git.wqu@suse.com> [BUG] When try to read a range beyond file size, btrfs driver will cause crash/segfault: => load host 0 $kernel_addr_r 5k_file 0 0x2000 SEGFAULT [CAUSE] In btrfs_read(), if @len is 0, we will truncated it to file end, but if file end is beyond our file size, this truncation will underflow @len, making it -3K in this case. And later that @len is used to memzero the output buffer, resulting above crash. [FIX] Just error out if @offset is already beyond our file size. Now it will fail properly with correct error message: => load host 0 $kernel_addr_r 5m_origin 0 0x2000 BTRFS: Read range beyond file size, offset 8192 file size 5120 Failed to load '5m_origin' Signed-off-by: Qu Wenruo <wqu@suse.com> --- fs/btrfs/btrfs.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/btrfs/btrfs.c b/fs/btrfs/btrfs.c index 9145727058d4..bf9e1f2f17cf 100644 --- a/fs/btrfs/btrfs.c +++ b/fs/btrfs/btrfs.c @@ -252,6 +252,12 @@ int btrfs_read(const char *file, void *buf, loff_t offset, loff_t len, return ret; } + if (offset >= real_size) { + error("Read range beyond file size, offset %llu file size %llu", + offset, real_size); + return -EINVAL; + } + /* * If the length is 0 (meaning read the whole file) or the range is * beyond file size, truncate it to the end of the file. -- 2.37.0
next prev parent reply other threads:[~2022-07-26 5:22 UTC|newest] Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-07-26 5:22 [PATCH v2 0/8] U-boot: fs: add generic unaligned read offset handling Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 1/8] fs: fat: unexport file_fat_read_at() Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-08-05 21:14 ` Tom Rini 2022-08-05 21:14 ` Tom Rini 2022-08-05 22:44 ` Qu Wenruo 2022-08-05 22:44 ` Qu Wenruo 2022-08-06 2:44 ` Tom Rini 2022-08-06 2:44 ` Tom Rini 2022-07-26 5:22 ` [PATCH v2 2/8] fs: btrfs: fix a bug which no data get read if the length is not 0 Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` Qu Wenruo [this message] 2022-07-26 5:22 ` [PATCH v2 3/8] fs: btrfs: fix a crash if specified range is beyond file size Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 4/8] fs: btrfs: move the unaligned read code to _fs_read() for btrfs Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 5/8] fs: ext4: rely on _fs_read() to handle leading unaligned block read Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 6/8] fs: fat: rely on higher layer to get block aligned read range Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 7/8] fs: ubifs: rely on higher layer to do unaligned read Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs 2022-07-26 5:22 ` [PATCH v2 8/8] fs: erofs: add unaligned read range handling Qu Wenruo 2022-07-26 5:22 ` Qu Wenruo via Linux-erofs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=c4ffb7fcc552dda16491d47f07b5c3a418fc4f69.1658812744.git.wqu@suse.com \ --to=wqu@suse.com \ --cc=jnhuang95@gmail.com \ --cc=joaomarcos.costa@bootlin.com \ --cc=linux-btrfs@vger.kernel.org \ --cc=linux-erofs@lists.ozlabs.org \ --cc=marek.behun@nic.cz \ --cc=miquel.raynal@bootlin.com \ --cc=thomas.petazzoni@bootlin.com \ --cc=trini@konsulko.com \ --cc=u-boot@lists.denx.de \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.