[PATCH] btrfs: validate root ref item size and name length

[PATCH] btrfs: validate root ref item size and name length

[Kyle Zeng]

ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
by one variable-length name.  The tree checker validates only generic leaf
geometry for these item types, so corrupted metadata can expose a root-ref
item whose item size does not match the embedded name_len field.

Several readers later trust the item size or the name_len field when
copying the name into fixed-size buffers.  For example,
BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
the item size and copies that many bytes into the 256-byte subvolume name
field.  A crafted ROOT_BACKREF item can therefore trigger a kernel heap
out-of-bounds write.

Validate root refs in the tree checker before other Btrfs code consumes
them.  Reject items that are too small for the fixed header, names larger
than BTRFS_NAME_LEN, and item sizes that do not exactly match
sizeof(struct btrfs_root_ref) plus the embedded name length.

Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5.5
Signed-off-by: Kyle Zeng <kylebot@openai.com>
---
 fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 1f15d0793a9c..fb072045ca18 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
 	return 0;
 }
 
+static int check_root_ref(struct extent_buffer *leaf, int slot)
+{
+	struct btrfs_root_ref *rref;
+	const u32 item_size = btrfs_item_size(leaf, slot);
+	u32 expect_size;
+	u16 name_len;
+
+	if (unlikely(item_size < sizeof(*rref))) {
+		generic_err(leaf, slot,
+			    "invalid root ref item size, have %u expect >= %zu",
+			    item_size, sizeof(*rref));
+		return -EUCLEAN;
+	}
+
+	rref = btrfs_item_ptr(leaf, slot, struct btrfs_root_ref);
+	name_len = btrfs_root_ref_name_len(leaf, rref);
+	if (unlikely(name_len > BTRFS_NAME_LEN)) {
+		generic_err(leaf, slot,
+			    "root ref name too long, have %u max %u",
+			    name_len, BTRFS_NAME_LEN);
+		return -EUCLEAN;
+	}
+
+	expect_size = sizeof(*rref) + name_len;
+	if (unlikely(item_size != expect_size)) {
+		generic_err(leaf, slot,
+			    "invalid root ref item size, have %u expect %u",
+			    item_size, expect_size);
+		return -EUCLEAN;
+	}
+
+	return 0;
+}
+
 static int check_raid_stripe_extent(const struct extent_buffer *leaf,
 				    const struct btrfs_key *key, int slot)
 {
@@ -2226,6 +2260,10 @@ static enum btrfs_tree_block_status check_leaf_item(struct extent_buffer *leaf,
 	case BTRFS_ROOT_ITEM_KEY:
 		ret = check_root_item(leaf, key, slot);
 		break;
+	case BTRFS_ROOT_REF_KEY:
+	case BTRFS_ROOT_BACKREF_KEY:
+		ret = check_root_ref(leaf, slot);
+		break;
 	case BTRFS_EXTENT_ITEM_KEY:
 	case BTRFS_METADATA_ITEM_KEY:
 		ret = check_extent_item(leaf, key, slot, prev_key);
-- 
2.54.0

Re: [PATCH] btrfs: validate root ref item size and name length

[Qu Wenruo]

在 2026/6/12 06:54, Kyle Zeng 写道:
> ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
> by one variable-length name.  The tree checker validates only generic leaf
> geometry for these item types, so corrupted metadata can expose a root-ref
> item whose item size does not match the embedded name_len field.
> 
> Several readers later trust the item size or the name_len field when
> copying the name into fixed-size buffers.  For example,
> BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
> the item size and copies that many bytes into the 256-byte subvolume name
> field.  A crafted ROOT_BACKREF item can therefore trigger a kernel heap
> out-of-bounds write.
> 
> Validate root refs in the tree checker before other Btrfs code consumes
> them.  Reject items that are too small for the fixed header, names larger
> than BTRFS_NAME_LEN, and item sizes that do not exactly match
> sizeof(struct btrfs_root_ref) plus the embedded name length.
> 
> Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
> Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
> Cc: stable@vger.kernel.org
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Kyle Zeng <kylebot@openai.com>

Tell you stupid agent to grab the correct branch.

All it's doing is just a worse version of the existing check in for-next 
tree.

> ---
>   fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
>   1 file changed, 38 insertions(+)
> 
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index 1f15d0793a9c..fb072045ca18 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
>   	return 0;
>   }
>   
> +static int check_root_ref(struct extent_buffer *leaf, int slot)
> +{
> +	struct btrfs_root_ref *rref;
> +	const u32 item_size = btrfs_item_size(leaf, slot);
> +	u32 expect_size;
> +	u16 name_len;
> +
> +	if (unlikely(item_size < sizeof(*rref))) {
> +		generic_err(leaf, slot,
> +			    "invalid root ref item size, have %u expect >= %zu",
> +			    item_size, sizeof(*rref));
> +		return -EUCLEAN;
> +	}

Your stupid agent doesn't reject name_len == 0 case, meanwhile the 
for-next one does.

Re: [PATCH] btrfs: validate root ref item size and name length

[Kyle Zeng]

Hi Wenruo,

I'm actually a human who happens to have "bot" in the handle:
https://kylebot.net/.
I manually verified that my PoC worked against the master branch
before sending the patch.If you think I'm validating against the wrong
branch, just let me know. That was a bit unnecessary.

Best,
Kyle

On Thu, Jun 11, 2026 at 3:56 PM Qu Wenruo <wqu@suse.com> wrote:
>
>
>
> 在 2026/6/12 06:54, Kyle Zeng 写道:
> > ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
> > by one variable-length name.  The tree checker validates only generic leaf
> > geometry for these item types, so corrupted metadata can expose a root-ref
> > item whose item size does not match the embedded name_len field.
> >
> > Several readers later trust the item size or the name_len field when
> > copying the name into fixed-size buffers.  For example,
> > BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
> > the item size and copies that many bytes into the 256-byte subvolume name
> > field.  A crafted ROOT_BACKREF item can therefore trigger a kernel heap
> > out-of-bounds write.
> >
> > Validate root refs in the tree checker before other Btrfs code consumes
> > them.  Reject items that are too small for the fixed header, names larger
> > than BTRFS_NAME_LEN, and item sizes that do not exactly match
> > sizeof(struct btrfs_root_ref) plus the embedded name length.
> >
> > Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
> > Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
> > Cc: stable@vger.kernel.org
> > Assisted-by: Codex:gpt-5.5
> > Signed-off-by: Kyle Zeng <kylebot@openai.com>
>
> Tell you stupid agent to grab the correct branch.
>
> All it's doing is just a worse version of the existing check in for-next
> tree.
>
> > ---
> >   fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
> >   1 file changed, 38 insertions(+)
> >
> > diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> > index 1f15d0793a9c..fb072045ca18 100644
> > --- a/fs/btrfs/tree-checker.c
> > +++ b/fs/btrfs/tree-checker.c
> > @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
> >       return 0;
> >   }
> >
> > +static int check_root_ref(struct extent_buffer *leaf, int slot)
> > +{
> > +     struct btrfs_root_ref *rref;
> > +     const u32 item_size = btrfs_item_size(leaf, slot);
> > +     u32 expect_size;
> > +     u16 name_len;
> > +
> > +     if (unlikely(item_size < sizeof(*rref))) {
> > +             generic_err(leaf, slot,
> > +                         "invalid root ref item size, have %u expect >= %zu",
> > +                         item_size, sizeof(*rref));
> > +             return -EUCLEAN;
> > +     }
>
> Your stupid agent doesn't reject name_len == 0 case, meanwhile the
> for-next one does.

Re: [PATCH] btrfs: validate root ref item size and name length

[Qu Wenruo]

在 2026/6/12 08:39, Kyle Zeng 写道:
> Hi Wenruo,
> 
> I'm actually a human who happens to have "bot" in the handle:
> https://kylebot.net/.
> I manually verified that my PoC worked against the master branch
> before sending the patch.If you think I'm validating against the wrong
> branch, just let me know. That was a bit unnecessary.

https://github.com/btrfs/linux.git for-next

https://btrfs.readthedocs.io/en/latest/dev/Developer-s-FAQ.html#development-phase-linux-next-for-next

Not to mention you're not the first one doing the same mistake, 
re-inventing a worse patch that is already in for-next for a while.

> 
> Best,
> Kyle
> 
> On Thu, Jun 11, 2026 at 3:56 PM Qu Wenruo <wqu@suse.com> wrote:
>>
>>
>>
>> 在 2026/6/12 06:54, Kyle Zeng 写道:
>>> ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
>>> by one variable-length name.  The tree checker validates only generic leaf
>>> geometry for these item types, so corrupted metadata can expose a root-ref
>>> item whose item size does not match the embedded name_len field.
>>>
>>> Several readers later trust the item size or the name_len field when
>>> copying the name into fixed-size buffers.  For example,
>>> BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
>>> the item size and copies that many bytes into the 256-byte subvolume name
>>> field.  A crafted ROOT_BACKREF item can therefore trigger a kernel heap
>>> out-of-bounds write.
>>>
>>> Validate root refs in the tree checker before other Btrfs code consumes
>>> them.  Reject items that are too small for the fixed header, names larger
>>> than BTRFS_NAME_LEN, and item sizes that do not exactly match
>>> sizeof(struct btrfs_root_ref) plus the embedded name length.
>>>
>>> Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
>>> Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
>>> Cc: stable@vger.kernel.org
>>> Assisted-by: Codex:gpt-5.5
>>> Signed-off-by: Kyle Zeng <kylebot@openai.com>
>>
>> Tell you stupid agent to grab the correct branch.
>>
>> All it's doing is just a worse version of the existing check in for-next
>> tree.
>>
>>> ---
>>>    fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
>>>    1 file changed, 38 insertions(+)
>>>
>>> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
>>> index 1f15d0793a9c..fb072045ca18 100644
>>> --- a/fs/btrfs/tree-checker.c
>>> +++ b/fs/btrfs/tree-checker.c
>>> @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
>>>        return 0;
>>>    }
>>>
>>> +static int check_root_ref(struct extent_buffer *leaf, int slot)
>>> +{
>>> +     struct btrfs_root_ref *rref;
>>> +     const u32 item_size = btrfs_item_size(leaf, slot);
>>> +     u32 expect_size;
>>> +     u16 name_len;
>>> +
>>> +     if (unlikely(item_size < sizeof(*rref))) {
>>> +             generic_err(leaf, slot,
>>> +                         "invalid root ref item size, have %u expect >= %zu",
>>> +                         item_size, sizeof(*rref));
>>> +             return -EUCLEAN;
>>> +     }
>>
>> Your stupid agent doesn't reject name_len == 0 case, meanwhile the
>> for-next one does.