[PATCH] btrfs: validate ROOT_BACKREF name before copying subvolume info

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Zhang Cen <rollkingzzc@gmail.com>
To: Chris Mason <clm@fb.com>, David Sterba <dsterba@suse.com>
Cc: linux-btrfs@vger.kernel.org, zerocling0077@gmail.com,
	2045gemini@gmail.com, Zhang Cen <rollkingzzc@gmail.com>
Subject: [PATCH] btrfs: validate ROOT_BACKREF name before copying subvolume info
Date: Sun, 10 May 2026 15:49:43 +0800	[thread overview]
Message-ID: <20260510074943.2644335-1-rollkingzzc@gmail.com> (raw)

btrfs_ioctl_get_subvol_info() derives the copied subvolume name
length from btrfs_item_size() and copies it into subvol_info->name,
which is only BTRFS_VOL_NAME_MAX + 1 bytes long. A malformed
ROOT_BACKREF can therefore make the length underflow or exceed the
fixed ioctl buffer.

Validate that the item is large enough for struct btrfs_root_ref,
that the on-disk name_len fits inside the remaining payload, and that
the copied name does not exceed BTRFS_VOL_NAME_MAX. If any of those
checks fail, return -EUCLEAN instead of copying from corrupted
metadata. After validation, copy only name_len bytes and terminate the
result explicitly.

Sanitizer validation reported:
BUG: KASAN: slab-out-of-bounds in read_extent_buffer()
Write of size 505 at addr ffff88810936d608
Call trace:
  dump_stack_lvl() (?:?)
  print_address_description() (mm/kasan/report.c:373)
  read_extent_buffer() (?:?)
  print_report() (?:?)
  __virt_addr_valid() (?:?)
  srso_alias_return_thunk() (arch/x86/include/asm/nospec-branch.h:375)
  kasan_addr_to_slab() (mm/kasan/common.c:45)
  kasan_report() (?:?)
  kasan_check_range() (?:?)
  __asan_memcpy() (mm/kasan/shadow.c:103)
  btrfs_ioctl_get_subvol_info() (fs/btrfs/ioctl.c:2034)
  btrfs_get_32() (fs/btrfs/ioctl.c:?)
  btrfs_set_16() (fs/btrfs/ioctl.c:?)
  btrfs_test_get_subvol_info_name_oob() (fs/btrfs/ioctl.c:?)
  btrfs_run_sanity_tests() (fs/btrfs/ioctl.c:?)
  init_btrfs_fs() (fs/btrfs/super.c:2690)
  do_one_initcall() (init/main.c:1382)
  __kasan_kmalloc() (?:?)
  rcu_is_watching() (?:?)
  do_initcalls() (init/main.c:1457)
  kernel_init_freeable() (init/main.c:1674)
  kernel_init() (init/main.c:1584)
  ret_from_fork() (?:?)
  __switch_to() (?:?)
  ret_from_fork_asm() (?:?)
  kasan_save_stack() (mm/kasan/common.c:52)
  kasan_save_track() (mm/kasan/common.c:74)

Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>

---
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index a39460bf68a7..0647e672464a 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1956,7 +1956,8 @@ static int btrfs_ioctl_get_subvol_info(struct inode *inode, void __user *argp)
 	struct btrfs_root_ref *rref;
 	struct extent_buffer *leaf;
 	unsigned long item_off;
-	unsigned long item_len;
+	u32 item_size;
+	u16 name_len;
 	int slot;
 	int ret = 0;
 
@@ -2034,14 +2035,26 @@ static int btrfs_ioctl_get_subvol_info(struct inode *inode, void __user *argp)
 			subvol_info->parent_id = key.offset;
 
 			rref = btrfs_item_ptr(leaf, slot, struct btrfs_root_ref);
+			item_size = btrfs_item_size(leaf, slot);
+			if (item_size < sizeof(*rref)) {
+				ret = -EUCLEAN;
+				goto out;
+			}
+
+			name_len = btrfs_root_ref_name_len(leaf, rref);
+			if (name_len > item_size - sizeof(*rref) ||
+			    name_len > BTRFS_VOL_NAME_MAX) {
+				ret = -EUCLEAN;
+				goto out;
+			}
+
 			subvol_info->dirid = btrfs_root_ref_dirid(leaf, rref);
 
-			item_off = btrfs_item_ptr_offset(leaf, slot)
-					+ sizeof(struct btrfs_root_ref);
-			item_len = btrfs_item_size(leaf, slot)
-					- sizeof(struct btrfs_root_ref);
+			item_off = btrfs_item_ptr_offset(leaf, slot) +
+				   sizeof(*rref);
 			read_extent_buffer(leaf, subvol_info->name,
-					   item_off, item_len);
+					   item_off, name_len);
+			subvol_info->name[name_len] = '\0';
 		} else {
 			ret = -ENOENT;
 			goto out;

next             reply	other threads:[~2026-05-10  7:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-10  7:49 Zhang Cen [this message]
2026-05-10  8:18 ` [PATCH] btrfs: validate ROOT_BACKREF name before copying subvolume info Qu Wenruo
     [not found] ` <qu-root-backref-20260510-161800@local>
2026-05-10 14:37   ` Zhang Cen
2026-05-10 14:42 ` [PATCH v2] btrfs: validate root ref names in tree-checker Zhang Cen
2026-05-10 14:46   ` Cen Zhang
2026-05-10 15:03 ` [PATCH v3] " Zhang Cen
2026-05-10 22:12   ` Qu Wenruo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a39460bf68a dfblob:0647e672464 )
 OR (
bs:"[PATCH] btrfs: validate ROOT_BACKREF name before copying subvolume info" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260510074943.2644335-1-rollkingzzc@gmail.com \
    --to=rollkingzzc@gmail.com \
    --cc=2045gemini@gmail.com \
    --cc=clm@fb.com \
    --cc=dsterba@suse.com \
    --cc=linux-btrfs@vger.kernel.org \
    --cc=zerocling0077@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.