From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH v2 2/4] btrfs-progs: print-tree: do sanity checks for dir items
Date: Wed, 5 Jun 2024 09:13:42 +0930 [thread overview]
Message-ID: <817cdc0c65b00491a78d7f47efddffa1f76ab087.1717544015.git.wqu@suse.com> (raw)
In-Reply-To: <cover.1717544015.git.wqu@suse.com>
There is a bug report that with UBSAN enabled, fuzz/006 test case would
crash.
It turns out that the image bko-154021-invalid-drop-level.raw has
invalid dir items, that the name/data len is beyond the item.
And if we try to read beyond the eb boundary, UBSAN got triggered.
Normally in kernel tree-checker would reject such metadata in the first
place, but in btrfs-progs we can not go that strict or we can not do a
lot of repair.
So here just enhance print_dir_item() to do extra sanity checks for
data/name len before reading the contents.
Issue: #805
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
kernel-shared/print-tree.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel-shared/print-tree.c b/kernel-shared/print-tree.c
index 1b9386d87a0a..9a72ba39b426 100644
--- a/kernel-shared/print-tree.c
+++ b/kernel-shared/print-tree.c
@@ -78,6 +78,11 @@ static void print_dir_item(struct extent_buffer *eb, u32 size,
printf("\n");
name_len = btrfs_dir_name_len(eb, di);
data_len = btrfs_dir_data_len(eb, di);
+ if (data_len + name_len + cur > size) {
+ error("invalid length, cur=%u name_len=%u data_len=%u size=%u\n",
+ cur, name_len, data_len, size);
+ break;
+ }
len = (name_len <= sizeof(namebuf))? name_len: sizeof(namebuf);
printf("\t\ttransid %llu data_len %u name_len %u\n",
btrfs_dir_transid(eb, di),
--
2.45.2
next prev parent reply other threads:[~2024-06-04 23:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-04 23:43 [PATCH v2 0/4] btrfs-progs: small bug fixes Qu Wenruo
2024-06-04 23:43 ` [PATCH v2 1/4] btrfs-progs: corrupt-block: fix memory leak in debug_corrupt_sector() Qu Wenruo
2024-06-04 23:43 ` Qu Wenruo [this message]
2024-06-04 23:43 ` [PATCH v2 3/4] btrfs-progs: error out immediately if an unknown backref type is hit Qu Wenruo
2024-06-04 23:43 ` [PATCH v2 4/4] btrfs-progs: fix misc/038 test cases Qu Wenruo
2024-06-05 17:57 ` [PATCH v2 0/4] btrfs-progs: small bug fixes David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=817cdc0c65b00491a78d7f47efddffa1f76ab087.1717544015.git.wqu@suse.com \
--to=wqu@suse.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox