Linux XFS filesystem development
 help / color / mirror / Atom feed
* [PATCH] mdrestore: fix extent length overflow in v2 restore path
@ 2026-07-09 10:39 Manognya Singuru
  2026-07-09 14:33 ` Darrick J. Wong
  0 siblings, 1 reply; 3+ messages in thread
From: Manognya Singuru @ 2026-07-09 10:39 UTC (permalink / raw)
  To: linux-xfs; +Cc: aalbersh, Manognya Singuru

Aisle Research reported that a crafted metadump v2 extent
length can overflow the signed int used for length,
leading to incorrect size calculations and a
potential heap buffer over-read in restore_meta_extent().

Change the length type to uint64_t and ensure all size
arithmetic in 64-bit before converting to size_t for I/O
calls.

Signed-off-by: Manognya Singuru <msinguru@redhat.com>
---
 mdrestore/xfs_mdrestore.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/mdrestore/xfs_mdrestore.c b/mdrestore/xfs_mdrestore.c
index f10c4bef..9c7f77e0 100644
--- a/mdrestore/xfs_mdrestore.c
+++ b/mdrestore/xfs_mdrestore.c
@@ -395,11 +395,9 @@ restore_meta_extent(
 	char		*device,
 	void		*buf,
 	uint64_t	offset,
-	int		len)
+	uint64_t		len)
 {
-	int		io_size;
-
-	io_size = min(len, MDR_IO_BUF_SIZE);
+	size_t io_size = min(len, MDR_IO_BUF_SIZE);
 
 	do {
 		if (fread(buf, io_size, 1, md_fp) != 1)
@@ -428,7 +426,7 @@ restore_v2(
 	int64_t			mb_read = 0;
 	int64_t			bytes_read;
 	uint64_t		offset;
-	int			len;
+	uint64_t			len;
 
 	block_buffer = malloc(MDR_IO_BUF_SIZE);
 	if (block_buffer == NULL)
@@ -442,7 +440,7 @@ restore_v2(
 			XME_ADDR_DATA_DEVICE)
 		fatal("Invalid superblock disk address/length\n");
 
-	len = BBTOB(be32_to_cpu(xme.xme_len));
+	len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));
 
 	if (fread(block_buffer, len, 1, md_fp) != 1)
 		fatal("error reading from metadump file\n");
@@ -503,7 +501,7 @@ restore_v2(
 			break;
 		}
 
-		len = BBTOB(be32_to_cpu(xme.xme_len));
+		len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));
 
 		restore_meta_extent(md_fp, fd, device, block_buffer, offset,
 				len);
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] mdrestore: fix extent length overflow in v2 restore path
  2026-07-09 10:39 [PATCH] mdrestore: fix extent length overflow in v2 restore path Manognya Singuru
@ 2026-07-09 14:33 ` Darrick J. Wong
  2026-07-13  6:20   ` Manognya Singuru
  0 siblings, 1 reply; 3+ messages in thread
From: Darrick J. Wong @ 2026-07-09 14:33 UTC (permalink / raw)
  To: Manognya Singuru; +Cc: linux-xfs, aalbersh

On Thu, Jul 09, 2026 at 04:09:15PM +0530, Manognya Singuru wrote:
> Aisle Research reported that a crafted metadump v2 extent
> length can overflow the signed int used for length,
> leading to incorrect size calculations and a
> potential heap buffer over-read in restore_meta_extent().
> 
> Change the length type to uint64_t and ensure all size
> arithmetic in 64-bit before converting to size_t for I/O
> calls.
> 
> Signed-off-by: Manognya Singuru <msinguru@redhat.com>
> ---
>  mdrestore/xfs_mdrestore.c | 12 +++++-------
>  1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/mdrestore/xfs_mdrestore.c b/mdrestore/xfs_mdrestore.c
> index f10c4bef..9c7f77e0 100644
> --- a/mdrestore/xfs_mdrestore.c
> +++ b/mdrestore/xfs_mdrestore.c
> @@ -395,11 +395,9 @@ restore_meta_extent(
>  	char		*device,
>  	void		*buf,
>  	uint64_t	offset,
> -	int		len)
> +	uint64_t		len)

Please make the indentation consistent with the existing code here and
elsewhere in the patch.

>  {
> -	int		io_size;
> -
> -	io_size = min(len, MDR_IO_BUF_SIZE);
> +	size_t io_size = min(len, MDR_IO_BUF_SIZE);
>  
>  	do {
>  		if (fread(buf, io_size, 1, md_fp) != 1)
> @@ -428,7 +426,7 @@ restore_v2(
>  	int64_t			mb_read = 0;
>  	int64_t			bytes_read;
>  	uint64_t		offset;
> -	int			len;
> +	uint64_t			len;
>  
>  	block_buffer = malloc(MDR_IO_BUF_SIZE);
>  	if (block_buffer == NULL)
> @@ -442,7 +440,7 @@ restore_v2(
>  			XME_ADDR_DATA_DEVICE)
>  		fatal("Invalid superblock disk address/length\n");
>  
> -	len = BBTOB(be32_to_cpu(xme.xme_len));
> +	len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));

/me wonders if BBTOB ought to cast its parameter to uint64_t but this
change here avoids shift truncation if xme_len is large, so

Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>

--D

>  
>  	if (fread(block_buffer, len, 1, md_fp) != 1)
>  		fatal("error reading from metadump file\n");
> @@ -503,7 +501,7 @@ restore_v2(
>  			break;
>  		}
>  
> -		len = BBTOB(be32_to_cpu(xme.xme_len));
> +		len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));
>  
>  		restore_meta_extent(md_fp, fd, device, block_buffer, offset,
>  				len);
> -- 
> 2.54.0
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] mdrestore: fix extent length overflow in v2 restore path
  2026-07-09 14:33 ` Darrick J. Wong
@ 2026-07-13  6:20   ` Manognya Singuru
  0 siblings, 0 replies; 3+ messages in thread
From: Manognya Singuru @ 2026-07-13  6:20 UTC (permalink / raw)
  To: Darrick J. Wong; +Cc: linux-xfs, aalbersh

On Thu, Jul 9, 2026 at 8:11 PM Darrick J. Wong <djwong@kernel.org> wrote:
>
> On Thu, Jul 09, 2026 at 04:09:15PM +0530, Manognya Singuru wrote:
> > Aisle Research reported that a crafted metadump v2 extent
> > length can overflow the signed int used for length,
> > leading to incorrect size calculations and a
> > potential heap buffer over-read in restore_meta_extent().
> >
> > Change the length type to uint64_t and ensure all size
> > arithmetic in 64-bit before converting to size_t for I/O
> > calls.
> >
> > Signed-off-by: Manognya Singuru <msinguru@redhat.com>
> > ---
> >  mdrestore/xfs_mdrestore.c | 12 +++++-------
> >  1 file changed, 5 insertions(+), 7 deletions(-)
> >
> > diff --git a/mdrestore/xfs_mdrestore.c b/mdrestore/xfs_mdrestore.c
> > index f10c4bef..9c7f77e0 100644
> > --- a/mdrestore/xfs_mdrestore.c
> > +++ b/mdrestore/xfs_mdrestore.c
> > @@ -395,11 +395,9 @@ restore_meta_extent(
> >       char            *device,
> >       void            *buf,
> >       uint64_t        offset,
> > -     int             len)
> > +     uint64_t                len)
>
> Please make the indentation consistent with the existing code here and
> elsewhere in the patch.
>

Sure, I have made the indentation consistent and sent PATCH v2.

> >  {
> > -     int             io_size;
> > -
> > -     io_size = min(len, MDR_IO_BUF_SIZE);
> > +     size_t io_size = min(len, MDR_IO_BUF_SIZE);
> >
> >       do {
> >               if (fread(buf, io_size, 1, md_fp) != 1)
> > @@ -428,7 +426,7 @@ restore_v2(
> >       int64_t                 mb_read = 0;
> >       int64_t                 bytes_read;
> >       uint64_t                offset;
> > -     int                     len;
> > +     uint64_t                        len;
> >
> >       block_buffer = malloc(MDR_IO_BUF_SIZE);
> >       if (block_buffer == NULL)
> > @@ -442,7 +440,7 @@ restore_v2(
> >                       XME_ADDR_DATA_DEVICE)
> >               fatal("Invalid superblock disk address/length\n");
> >
> > -     len = BBTOB(be32_to_cpu(xme.xme_len));
> > +     len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));
>
> /me wonders if BBTOB ought to cast its parameter to uint64_t but this
> change here avoids shift truncation if xme_len is large, so
>

Yes, my thinking was that casting to uint64_t would force BBTOB() to
perform the shift in 64-bit arithmetic and avoid shift truncation.


> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
>
> --D
>
> >
> >       if (fread(block_buffer, len, 1, md_fp) != 1)
> >               fatal("error reading from metadump file\n");
> > @@ -503,7 +501,7 @@ restore_v2(
> >                       break;
> >               }
> >
> > -             len = BBTOB(be32_to_cpu(xme.xme_len));
> > +             len = BBTOB((uint64_t)be32_to_cpu(xme.xme_len));
> >
> >               restore_meta_extent(md_fp, fd, device, block_buffer, offset,
> >                               len);
> > --
> > 2.54.0
> >
> >
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-13  6:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 10:39 [PATCH] mdrestore: fix extent length overflow in v2 restore path Manognya Singuru
2026-07-09 14:33 ` Darrick J. Wong
2026-07-13  6:20   ` Manognya Singuru

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox