* [PATCH] btrfs: validate root ref item size and name length
@ 2026-06-11 21:24 Kyle Zeng
2026-06-11 22:56 ` Qu Wenruo
0 siblings, 1 reply; 4+ messages in thread
From: Kyle Zeng @ 2026-06-11 21:24 UTC (permalink / raw)
To: linux-btrfs
Cc: Chris Mason, David Sterba, outbounddisclosures, Kyle Zeng, stable
ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
by one variable-length name. The tree checker validates only generic leaf
geometry for these item types, so corrupted metadata can expose a root-ref
item whose item size does not match the embedded name_len field.
Several readers later trust the item size or the name_len field when
copying the name into fixed-size buffers. For example,
BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
the item size and copies that many bytes into the 256-byte subvolume name
field. A crafted ROOT_BACKREF item can therefore trigger a kernel heap
out-of-bounds write.
Validate root refs in the tree checker before other Btrfs code consumes
them. Reject items that are too small for the fixed header, names larger
than BTRFS_NAME_LEN, and item sizes that do not exactly match
sizeof(struct btrfs_root_ref) plus the embedded name length.
Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5.5
Signed-off-by: Kyle Zeng <kylebot@openai.com>
---
fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 1f15d0793a9c..fb072045ca18 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
return 0;
}
+static int check_root_ref(struct extent_buffer *leaf, int slot)
+{
+ struct btrfs_root_ref *rref;
+ const u32 item_size = btrfs_item_size(leaf, slot);
+ u32 expect_size;
+ u16 name_len;
+
+ if (unlikely(item_size < sizeof(*rref))) {
+ generic_err(leaf, slot,
+ "invalid root ref item size, have %u expect >= %zu",
+ item_size, sizeof(*rref));
+ return -EUCLEAN;
+ }
+
+ rref = btrfs_item_ptr(leaf, slot, struct btrfs_root_ref);
+ name_len = btrfs_root_ref_name_len(leaf, rref);
+ if (unlikely(name_len > BTRFS_NAME_LEN)) {
+ generic_err(leaf, slot,
+ "root ref name too long, have %u max %u",
+ name_len, BTRFS_NAME_LEN);
+ return -EUCLEAN;
+ }
+
+ expect_size = sizeof(*rref) + name_len;
+ if (unlikely(item_size != expect_size)) {
+ generic_err(leaf, slot,
+ "invalid root ref item size, have %u expect %u",
+ item_size, expect_size);
+ return -EUCLEAN;
+ }
+
+ return 0;
+}
+
static int check_raid_stripe_extent(const struct extent_buffer *leaf,
const struct btrfs_key *key, int slot)
{
@@ -2226,6 +2260,10 @@ static enum btrfs_tree_block_status check_leaf_item(struct extent_buffer *leaf,
case BTRFS_ROOT_ITEM_KEY:
ret = check_root_item(leaf, key, slot);
break;
+ case BTRFS_ROOT_REF_KEY:
+ case BTRFS_ROOT_BACKREF_KEY:
+ ret = check_root_ref(leaf, slot);
+ break;
case BTRFS_EXTENT_ITEM_KEY:
case BTRFS_METADATA_ITEM_KEY:
ret = check_extent_item(leaf, key, slot, prev_key);
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] btrfs: validate root ref item size and name length
2026-06-11 21:24 [PATCH] btrfs: validate root ref item size and name length Kyle Zeng
@ 2026-06-11 22:56 ` Qu Wenruo
2026-06-11 23:09 ` Kyle Zeng
0 siblings, 1 reply; 4+ messages in thread
From: Qu Wenruo @ 2026-06-11 22:56 UTC (permalink / raw)
To: Kyle Zeng, linux-btrfs
Cc: Chris Mason, David Sterba, outbounddisclosures, stable
在 2026/6/12 06:54, Kyle Zeng 写道:
> ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
> by one variable-length name. The tree checker validates only generic leaf
> geometry for these item types, so corrupted metadata can expose a root-ref
> item whose item size does not match the embedded name_len field.
>
> Several readers later trust the item size or the name_len field when
> copying the name into fixed-size buffers. For example,
> BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
> the item size and copies that many bytes into the 256-byte subvolume name
> field. A crafted ROOT_BACKREF item can therefore trigger a kernel heap
> out-of-bounds write.
>
> Validate root refs in the tree checker before other Btrfs code consumes
> them. Reject items that are too small for the fixed header, names larger
> than BTRFS_NAME_LEN, and item sizes that do not exactly match
> sizeof(struct btrfs_root_ref) plus the embedded name length.
>
> Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
> Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
> Cc: stable@vger.kernel.org
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Kyle Zeng <kylebot@openai.com>
Tell you stupid agent to grab the correct branch.
All it's doing is just a worse version of the existing check in for-next
tree.
> ---
> fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index 1f15d0793a9c..fb072045ca18 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
> return 0;
> }
>
> +static int check_root_ref(struct extent_buffer *leaf, int slot)
> +{
> + struct btrfs_root_ref *rref;
> + const u32 item_size = btrfs_item_size(leaf, slot);
> + u32 expect_size;
> + u16 name_len;
> +
> + if (unlikely(item_size < sizeof(*rref))) {
> + generic_err(leaf, slot,
> + "invalid root ref item size, have %u expect >= %zu",
> + item_size, sizeof(*rref));
> + return -EUCLEAN;
> + }
Your stupid agent doesn't reject name_len == 0 case, meanwhile the
for-next one does.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] btrfs: validate root ref item size and name length
2026-06-11 22:56 ` Qu Wenruo
@ 2026-06-11 23:09 ` Kyle Zeng
2026-06-11 23:13 ` Qu Wenruo
0 siblings, 1 reply; 4+ messages in thread
From: Kyle Zeng @ 2026-06-11 23:09 UTC (permalink / raw)
To: Qu Wenruo
Cc: linux-btrfs, Chris Mason, David Sterba, outbounddisclosures,
stable
Hi Wenruo,
I'm actually a human who happens to have "bot" in the handle:
https://kylebot.net/.
I manually verified that my PoC worked against the master branch
before sending the patch.If you think I'm validating against the wrong
branch, just let me know. That was a bit unnecessary.
Best,
Kyle
On Thu, Jun 11, 2026 at 3:56 PM Qu Wenruo <wqu@suse.com> wrote:
>
>
>
> 在 2026/6/12 06:54, Kyle Zeng 写道:
> > ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
> > by one variable-length name. The tree checker validates only generic leaf
> > geometry for these item types, so corrupted metadata can expose a root-ref
> > item whose item size does not match the embedded name_len field.
> >
> > Several readers later trust the item size or the name_len field when
> > copying the name into fixed-size buffers. For example,
> > BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
> > the item size and copies that many bytes into the 256-byte subvolume name
> > field. A crafted ROOT_BACKREF item can therefore trigger a kernel heap
> > out-of-bounds write.
> >
> > Validate root refs in the tree checker before other Btrfs code consumes
> > them. Reject items that are too small for the fixed header, names larger
> > than BTRFS_NAME_LEN, and item sizes that do not exactly match
> > sizeof(struct btrfs_root_ref) plus the embedded name length.
> >
> > Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
> > Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
> > Cc: stable@vger.kernel.org
> > Assisted-by: Codex:gpt-5.5
> > Signed-off-by: Kyle Zeng <kylebot@openai.com>
>
> Tell you stupid agent to grab the correct branch.
>
> All it's doing is just a worse version of the existing check in for-next
> tree.
>
> > ---
> > fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> > index 1f15d0793a9c..fb072045ca18 100644
> > --- a/fs/btrfs/tree-checker.c
> > +++ b/fs/btrfs/tree-checker.c
> > @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
> > return 0;
> > }
> >
> > +static int check_root_ref(struct extent_buffer *leaf, int slot)
> > +{
> > + struct btrfs_root_ref *rref;
> > + const u32 item_size = btrfs_item_size(leaf, slot);
> > + u32 expect_size;
> > + u16 name_len;
> > +
> > + if (unlikely(item_size < sizeof(*rref))) {
> > + generic_err(leaf, slot,
> > + "invalid root ref item size, have %u expect >= %zu",
> > + item_size, sizeof(*rref));
> > + return -EUCLEAN;
> > + }
>
> Your stupid agent doesn't reject name_len == 0 case, meanwhile the
> for-next one does.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] btrfs: validate root ref item size and name length
2026-06-11 23:09 ` Kyle Zeng
@ 2026-06-11 23:13 ` Qu Wenruo
0 siblings, 0 replies; 4+ messages in thread
From: Qu Wenruo @ 2026-06-11 23:13 UTC (permalink / raw)
To: Kyle Zeng
Cc: linux-btrfs, Chris Mason, David Sterba, outbounddisclosures,
stable
在 2026/6/12 08:39, Kyle Zeng 写道:
> Hi Wenruo,
>
> I'm actually a human who happens to have "bot" in the handle:
> https://kylebot.net/.
> I manually verified that my PoC worked against the master branch
> before sending the patch.If you think I'm validating against the wrong
> branch, just let me know. That was a bit unnecessary.
https://github.com/btrfs/linux.git for-next
https://btrfs.readthedocs.io/en/latest/dev/Developer-s-FAQ.html#development-phase-linux-next-for-next
Not to mention you're not the first one doing the same mistake,
re-inventing a worse patch that is already in for-next for a while.
>
> Best,
> Kyle
>
> On Thu, Jun 11, 2026 at 3:56 PM Qu Wenruo <wqu@suse.com> wrote:
>>
>>
>>
>> 在 2026/6/12 06:54, Kyle Zeng 写道:
>>> ROOT_REF and ROOT_BACKREF items contain a struct btrfs_root_ref followed
>>> by one variable-length name. The tree checker validates only generic leaf
>>> geometry for these item types, so corrupted metadata can expose a root-ref
>>> item whose item size does not match the embedded name_len field.
>>>
>>> Several readers later trust the item size or the name_len field when
>>> copying the name into fixed-size buffers. For example,
>>> BTRFS_IOC_GET_SUBVOL_INFO subtracts sizeof(struct btrfs_root_ref) from
>>> the item size and copies that many bytes into the 256-byte subvolume name
>>> field. A crafted ROOT_BACKREF item can therefore trigger a kernel heap
>>> out-of-bounds write.
>>>
>>> Validate root refs in the tree checker before other Btrfs code consumes
>>> them. Reject items that are too small for the fixed header, names larger
>>> than BTRFS_NAME_LEN, and item sizes that do not exactly match
>>> sizeof(struct btrfs_root_ref) plus the embedded name length.
>>>
>>> Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
>>> Fixes: b64ec075bded ("btrfs: Add unprivileged ioctl which returns subvolume information")
>>> Cc: stable@vger.kernel.org
>>> Assisted-by: Codex:gpt-5.5
>>> Signed-off-by: Kyle Zeng <kylebot@openai.com>
>>
>> Tell you stupid agent to grab the correct branch.
>>
>> All it's doing is just a worse version of the existing check in for-next
>> tree.
>>
>>> ---
>>> fs/btrfs/tree-checker.c | 38 ++++++++++++++++++++++++++++++++++++++
>>> 1 file changed, 38 insertions(+)
>>>
>>> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
>>> index 1f15d0793a9c..fb072045ca18 100644
>>> --- a/fs/btrfs/tree-checker.c
>>> +++ b/fs/btrfs/tree-checker.c
>>> @@ -1915,6 +1915,40 @@ static int check_inode_extref(struct extent_buffer *leaf,
>>> return 0;
>>> }
>>>
>>> +static int check_root_ref(struct extent_buffer *leaf, int slot)
>>> +{
>>> + struct btrfs_root_ref *rref;
>>> + const u32 item_size = btrfs_item_size(leaf, slot);
>>> + u32 expect_size;
>>> + u16 name_len;
>>> +
>>> + if (unlikely(item_size < sizeof(*rref))) {
>>> + generic_err(leaf, slot,
>>> + "invalid root ref item size, have %u expect >= %zu",
>>> + item_size, sizeof(*rref));
>>> + return -EUCLEAN;
>>> + }
>>
>> Your stupid agent doesn't reject name_len == 0 case, meanwhile the
>> for-next one does.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-11 23:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 21:24 [PATCH] btrfs: validate root ref item size and name length Kyle Zeng
2026-06-11 22:56 ` Qu Wenruo
2026-06-11 23:09 ` Kyle Zeng
2026-06-11 23:13 ` Qu Wenruo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox