From: Qu Wenruo <wqu@suse.com>
To: u-boot@lists.denx.de
Cc: marek.behun@nic.cz, linux-btrfs@vger.kernel.org,
jnhuang95@gmail.com, linux-erofs@lists.ozlabs.org,
trini@konsulko.com, joaomarcos.costa@bootlin.com,
thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com
Subject: [PATCH 3/8] fs: btrfs: fix a crash if specified range is beyond file size
Date: Wed, 29 Jun 2022 19:38:24 +0800 [thread overview]
Message-ID: <94e08500aa3de95b3516be452b98c46e79fa6621.1656502685.git.wqu@suse.com> (raw)
In-Reply-To: <cover.1656502685.git.wqu@suse.com>
[BUG]
When try to read a range beyond file size, btrfs driver will cause
crash/segfault:
=> load host 0 $kernel_addr_r 5k_file 0 0x2000
SEGFAULT
[CAUSE]
In btrfs_read(), if @len is 0, we will truncated it to file end, but if
file end is beyond our file size, this truncation will underflow @len,
making it -3K in this case.
And later that @len is used to memzero the output buffer, resulting
above crash.
[FIX]
Just error out if @offset is already beyond our file size.
Now it will fail properly with correct error message:
=> load host 0 $kernel_addr_r 5m_origin 0 0x2000
BTRFS: Read range beyond file size, offset 8192 file size 5120
Failed to load '5m_origin'
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/btrfs.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/btrfs/btrfs.c b/fs/btrfs/btrfs.c
index 9145727058d4..bf9e1f2f17cf 100644
--- a/fs/btrfs/btrfs.c
+++ b/fs/btrfs/btrfs.c
@@ -252,6 +252,12 @@ int btrfs_read(const char *file, void *buf, loff_t offset, loff_t len,
return ret;
}
+ if (offset >= real_size) {
+ error("Read range beyond file size, offset %llu file size %llu",
+ offset, real_size);
+ return -EINVAL;
+ }
+
/*
* If the length is 0 (meaning read the whole file) or the range is
* beyond file size, truncate it to the end of the file.
--
2.36.1
next prev parent reply other threads:[~2022-06-29 11:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-29 11:38 [PATCH 0/8] U-boot: fs: add generic unaligned read offset handling Qu Wenruo
2022-06-29 11:38 ` [PATCH 1/8] fs: fat: unexport file_fat_read_at() Qu Wenruo
2022-07-25 22:28 ` Tom Rini
2022-07-26 1:35 ` Qu Wenruo
2022-07-26 2:12 ` Tom Rini
2022-06-29 11:38 ` [PATCH 2/8] fs: btrfs: fix a bug which no data get read if the length is not 0 Qu Wenruo
2022-06-29 11:38 ` Qu Wenruo [this message]
2022-06-29 11:38 ` [PATCH 4/8] fs: btrfs: move the unaligned read code to _fs_read() for btrfs Qu Wenruo
2022-06-29 11:38 ` [PATCH 5/8] fs: ext4: rely on _fs_read() to handle leading unaligned block read Qu Wenruo
2022-06-29 11:38 ` [PATCH 6/8] fs: fat: rely on higher layer to get block aligned read range Qu Wenruo
2022-06-29 11:38 ` [PATCH 7/8] fs: ubifs: rely on higher layer to do unaligned read Qu Wenruo
2022-06-29 11:38 ` [PATCH 8/8] fs: erofs: add unaligned read range handling Qu Wenruo
2022-06-30 12:21 ` Huang Jianan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94e08500aa3de95b3516be452b98c46e79fa6621.1656502685.git.wqu@suse.com \
--to=wqu@suse.com \
--cc=jnhuang95@gmail.com \
--cc=joaomarcos.costa@bootlin.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-erofs@lists.ozlabs.org \
--cc=marek.behun@nic.cz \
--cc=miquel.raynal@bootlin.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).