Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
       [not found] <1424966437-29795-1-git-send-email-quentin.casasnovas@oracle.com>
@ 2015-03-03 14:38 ` David Sterba
  2015-03-03 15:23   ` Chris Mason
  0 siblings, 1 reply; 4+ messages in thread
From: David Sterba @ 2015-03-03 14:38 UTC (permalink / raw)
  To: Quentin Casasnovas; +Cc: Mark Fasheh, lkml, linux-btrfs

Adding linux-btrfs to CC

On Thu, Feb 26, 2015 at 05:00:37PM +0100, Quentin Casasnovas wrote:
> Improper arithmetics when calculting the address of the extended ref could
> lead to an out of bounds memory read and kernel panic.
> 
> Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>

Good catch.

CC: <stable@vger.kernel.org>
Reviewed-by: David Sterba <dsterba@suse.cz>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
  2015-03-03 14:38 ` [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref David Sterba
@ 2015-03-03 15:23   ` Chris Mason
  2015-03-03 15:31     ` Quentin Casasnovas
  0 siblings, 1 reply; 4+ messages in thread
From: Chris Mason @ 2015-03-03 15:23 UTC (permalink / raw)
  To: dsterba; +Cc: Quentin Casasnovas, Mark Fasheh, lkml, linux-btrfs

On Tue, Mar 3, 2015 at 9:38 AM, David Sterba <dsterba@suse.cz> wrote:
> Adding linux-btrfs to CC
> 
> On Thu, Feb 26, 2015 at 05:00:37PM +0100, Quentin Casasnovas wrote:
>>  Improper arithmetics when calculting the address of the extended 
>> ref could
>>  lead to an out of bounds memory read and kernel panic.
>> 
>>  Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
> 
> Good catch.

Thanks Quentin, can you please bounce the patch to linux-btrfs so it'll 
be in patchwork?

-chris

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
  2015-03-03 15:23   ` Chris Mason
@ 2015-03-03 15:31     ` Quentin Casasnovas
  2015-03-03 15:35       ` Chris Mason
  0 siblings, 1 reply; 4+ messages in thread
From: Quentin Casasnovas @ 2015-03-03 15:31 UTC (permalink / raw)
  To: linux-btrfs
  Cc: linux-kernel, Mark Fasheh, Chris Mason, David Sterba,
	Quentin Casasnovas

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
---
 fs/btrfs/tree-log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c
index 9a37f8b..c5b8ba3 100644
--- fs/btrfs/tree-log.c
+++ fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ again:
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
 
 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);
 
 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
 
-- 
2.0.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
  2015-03-03 15:31     ` Quentin Casasnovas
@ 2015-03-03 15:35       ` Chris Mason
  0 siblings, 0 replies; 4+ messages in thread
From: Chris Mason @ 2015-03-03 15:35 UTC (permalink / raw)
  To: Quentin Casasnovas; +Cc: linux-btrfs, linux-kernel, Mark Fasheh, David Sterba



On Tue, Mar 3, 2015 at 10:31 AM, Quentin Casasnovas 
<quentin.casasnovas@oracle.com> wrote:
> Improper arithmetics when calculting the address of the extended ref 
> could
> lead to an out of bounds memory read and kernel panic.
> 
> Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
> ---
>  fs/btrfs/tree-log.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c
> index 9a37f8b..c5b8ba3 100644
> --- fs/btrfs/tree-log.c
> +++ fs/btrfs/tree-log.c
> @@ -1012,7 +1012,7 @@ again:
>  		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
> 
>  		while (cur_offset < item_size) {
> -			extref = (struct btrfs_inode_extref *)base + cur_offset;
> +			extref = (struct btrfs_inode_extref *)(base + cur_offset);
> 
>  			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
> 

Thanks, this goes back to 3.7+ (Mark's original extref code).  I'll tag 
for stable and add Dave's reviewed by:

Reviewed-by: David Sterba <dsterba@suse.cz>

-chris




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-03-03 15:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1424966437-29795-1-git-send-email-quentin.casasnovas@oracle.com>
2015-03-03 14:38 ` [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref David Sterba
2015-03-03 15:23   ` Chris Mason
2015-03-03 15:31     ` Quentin Casasnovas
2015-03-03 15:35       ` Chris Mason

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).