From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
Cc: <lukas.lueg@gmail.com>
Subject: [PATCH 3/4] btrfs-progs: Introduce better superblock check.
Date: Wed, 13 May 2015 17:15:35 +0800 [thread overview]
Message-ID: <1431508536-7275-4-git-send-email-quwenruo@cn.fujitsu.com> (raw)
In-Reply-To: <1431508536-7275-1-git-send-email-quwenruo@cn.fujitsu.com>
Now btrfs-progs will have much more restrict superblock check based on
kernel superblock check.
This should at least provide some hostile crafted image to crash command
like btrfsck.
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
disk-io.c | 148 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 144 insertions(+), 4 deletions(-)
diff --git a/disk-io.c b/disk-io.c
index e6ac3e9..bf796c6 100644
--- a/disk-io.c
+++ b/disk-io.c
@@ -38,6 +38,7 @@
#define BTRFS_BAD_BYTENR (-1)
#define BTRFS_BAD_FSID (-2)
+#define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0)
static int check_tree_block(struct btrfs_root *root, struct extent_buffer *buf)
{
@@ -1259,6 +1260,144 @@ struct btrfs_root *open_ctree_fd(int fp, const char *path, u64 sb_bytenr,
return info->fs_root;
}
+/* Just to save some space */
+#define pr_err(fmt, args...) (fprintf(stderr, fmt, ##args))
+
+/*
+ * Check if the super is validate.
+ *
+ * Unlike kernel one, we don't have extra check, so it's quite restrict
+ * in btrfs-progs.
+ */
+static int check_super(struct btrfs_super_block *sb)
+{
+ char result[BTRFS_CSUM_SIZE];
+ u32 crc;
+ u16 csum_type;
+ int csum_size;
+
+ if (btrfs_super_magic(sb) != BTRFS_MAGIC) {
+ pr_err("ERROR: superblock magic doesn't match\n");
+ return -EIO;
+ }
+
+ csum_type = btrfs_super_csum_type(sb);
+ if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
+ pr_err("ERROR: unsupported checksum algorithm %u\n",
+ csum_type);
+ return -EIO;
+ }
+ csum_size = btrfs_csum_sizes[csum_type];
+
+ crc = ~(u32)0;
+ crc = btrfs_csum_data(NULL, (char *)sb + BTRFS_CSUM_SIZE, crc,
+ BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
+ btrfs_csum_final(crc, result);
+
+ if (memcmp(result, sb->csum, csum_size)) {
+ pr_err("ERROR: superblock checksum mismatch\n");
+ return -EIO;
+ }
+ if (btrfs_super_root_level(sb) >= BTRFS_MAX_LEVEL) {
+ pr_err("ERROR: tree_root level too big: %d>=%d\n",
+ btrfs_super_root_level(sb), BTRFS_MAX_LEVEL);
+ return -EIO;
+ }
+ if (btrfs_super_chunk_root_level(sb) >= BTRFS_MAX_LEVEL) {
+ pr_err("ERROR: chunk_root level too big: %d>=%d\n",
+ btrfs_super_chunk_root_level(sb), BTRFS_MAX_LEVEL);
+ return -EIO;
+ }
+ if (btrfs_super_log_root_level(sb) >= BTRFS_MAX_LEVEL) {
+ pr_err("ERROR: log_root level too big: %d>=%d\n",
+ btrfs_super_log_root_level(sb), BTRFS_MAX_LEVEL);
+ return -EIO;
+ }
+
+ if (!IS_ALIGNED(btrfs_super_root(sb), 4096)) {
+ pr_err("ERROR: tree_root block unaligned: %llu\n",
+ btrfs_super_root(sb));
+ return -EIO;
+ }
+ if (!IS_ALIGNED(btrfs_super_chunk_root(sb), 4096)) {
+ pr_err("ERROR: chunk_root block unaligned: %llu\n",
+ btrfs_super_chunk_root(sb));
+ return -EIO;
+ }
+ if (!IS_ALIGNED(btrfs_super_log_root(sb), 4096)) {
+ pr_err("ERROR: log_root block unaligned: %llu\n",
+ btrfs_super_log_root(sb));
+ return -EIO;
+ }
+ if (btrfs_super_nodesize(sb) < 4096) {
+ pr_err("ERROR: nodesize too small: %u < 4096\n",
+ btrfs_super_nodesize(sb));
+ return -EIO;
+ }
+ if (!IS_ALIGNED(btrfs_super_nodesize(sb), 4096)) {
+ pr_err("ERROR: nodesize unaligned: %u\n",
+ btrfs_super_nodesize(sb));
+ return -EIO;
+ }
+ if (btrfs_super_sectorsize(sb) < 4096) {
+ pr_err("ERROR: sectorsize too small: %u < 4096\n",
+ btrfs_super_sectorsize(sb));
+ return -EIO;
+ }
+ if (!IS_ALIGNED(btrfs_super_sectorsize(sb), 4096)) {
+ pr_err("ERROR: sectorsize unaligned: %u\n",
+ btrfs_super_sectorsize(sb));
+ return -EIO;
+ }
+
+ if (memcmp(sb->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) {
+ char fsid[BTRFS_UUID_UNPARSED_SIZE];
+ char dev_fsid[BTRFS_UUID_UNPARSED_SIZE];
+
+ uuid_unparse(sb->fsid, fsid);
+ uuid_unparse(sb->dev_item.fsid, dev_fsid);
+ printk(KERN_ERR
+ "ERROR: dev_item UUID does not match fsid: %s != %s\n",
+ dev_fsid, fsid);
+ return -EIO;
+ }
+
+ /*
+ * Hint to catch really bogus numbers, bitflips or so
+ */
+ if (btrfs_super_num_devices(sb) > (1UL << 31)) {
+ pr_err("ERROR: suspicious number of devices: %llu\n",
+ btrfs_super_num_devices(sb));
+ return -EIO;
+ }
+
+ if (btrfs_super_num_devices(sb) == 0) {
+ pr_err("ERROR: number of devices is 0\n");
+ return -EIO;
+ }
+
+ /*
+ * Obvious sys_chunk_array corruptions, it must hold at least one key
+ * and one chunk
+ */
+ if (btrfs_super_sys_array_size(sb) > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) {
+ pr_err("BTRFS: system chunk array too big %u > %u\n",
+ btrfs_super_sys_array_size(sb),
+ BTRFS_SYSTEM_CHUNK_ARRAY_SIZE);
+ return -EIO;
+ }
+ if (btrfs_super_sys_array_size(sb) < sizeof(struct btrfs_disk_key)
+ + sizeof(struct btrfs_chunk)) {
+ pr_err("BTRFS: system chunk array too small %u < %lu\n",
+ btrfs_super_sys_array_size(sb),
+ sizeof(struct btrfs_disk_key) +
+ sizeof(struct btrfs_chunk));
+ return -EIO;
+ }
+
+ return 0;
+}
+
int btrfs_read_dev_super(int fd, struct btrfs_super_block *sb, u64 sb_bytenr,
int super_recover)
{
@@ -1277,10 +1416,11 @@ int btrfs_read_dev_super(int fd, struct btrfs_super_block *sb, u64 sb_bytenr,
if (ret < BTRFS_SUPER_INFO_SIZE)
return -1;
- if (btrfs_super_bytenr(buf) != sb_bytenr ||
- btrfs_super_magic(buf) != BTRFS_MAGIC)
+ if (btrfs_super_bytenr(buf) != sb_bytenr)
return -1;
+ if (check_super(buf))
+ return -1;
memcpy(sb, &buf, BTRFS_SUPER_INFO_SIZE);
return 0;
}
@@ -1302,8 +1442,8 @@ int btrfs_read_dev_super(int fd, struct btrfs_super_block *sb, u64 sb_bytenr,
continue;
/* if magic is NULL, the device was removed */
if (btrfs_super_magic(buf) == 0 && i == 0)
- return -1;
- if (btrfs_super_magic(buf) != BTRFS_MAGIC)
+ break;
+ if (check_super(buf))
continue;
if (!fsid_is_initialized) {
--
2.4.0
next prev parent reply other threads:[~2015-05-13 9:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 9:15 [PATCH 0/4] Enhance btrfs-progs for hostile image (FPE error part) Qu Wenruo
2015-05-13 9:15 ` [PATCH 1/4] btrfs-progs: Remove non-exist csum size Qu Wenruo
2015-05-13 16:18 ` David Sterba
2015-05-13 9:15 ` [PATCH 2/4] btrfs-progs: Read the whole superblock instead of struct btrfs_super_block Qu Wenruo
2015-05-13 16:14 ` David Sterba
2015-09-25 20:50 ` David Sterba
2015-05-13 9:15 ` Qu Wenruo [this message]
2015-09-25 20:55 ` [PATCH 3/4] btrfs-progs: Introduce better superblock check David Sterba
2015-05-13 9:15 ` [PATCH 4/4] btrfs-progs: Add extra chunk item check to avoid btrfs-progs crash Qu Wenruo
2015-05-13 16:18 ` David Sterba
2015-05-19 16:33 ` WorMzy Tykashi
[not found] ` <CALOYprV-dyji_5UFm3K-qmw0K2i5u7d14rwX7OPMFS29aY9ZVA@mail.gmail.com>
2015-05-20 0:25 ` Qu Wenruo
2015-05-20 8:03 ` WorMzy Tykashi
2015-05-20 12:20 ` David Sterba
2015-05-21 0:21 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431508536-7275-4-git-send-email-quwenruo@cn.fujitsu.com \
--to=quwenruo@cn.fujitsu.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=lukas.lueg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).