* [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
@ 2015-02-26 16:00 Quentin Casasnovas
2015-03-03 14:38 ` David Sterba
0 siblings, 1 reply; 5+ messages in thread
From: Quentin Casasnovas @ 2015-02-26 16:00 UTC (permalink / raw)
To: Mark Fasheh; +Cc: Quentin Casasnovas, lkml
Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
---
fs/btrfs/tree-log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c
index 9a37f8b..c5b8ba3 100644
--- fs/btrfs/tree-log.c
+++ fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ again:
base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) {
- extref = (struct btrfs_inode_extref *)base + cur_offset;
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
--
2.0.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
2015-02-26 16:00 [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Quentin Casasnovas
@ 2015-03-03 14:38 ` David Sterba
2015-03-03 15:23 ` Chris Mason
0 siblings, 1 reply; 5+ messages in thread
From: David Sterba @ 2015-03-03 14:38 UTC (permalink / raw)
To: Quentin Casasnovas; +Cc: Mark Fasheh, lkml, linux-btrfs
Adding linux-btrfs to CC
On Thu, Feb 26, 2015 at 05:00:37PM +0100, Quentin Casasnovas wrote:
> Improper arithmetics when calculting the address of the extended ref could
> lead to an out of bounds memory read and kernel panic.
>
> Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Good catch.
CC: <stable@vger.kernel.org>
Reviewed-by: David Sterba <dsterba@suse.cz>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
2015-03-03 14:38 ` David Sterba
@ 2015-03-03 15:23 ` Chris Mason
2015-03-03 15:31 ` Quentin Casasnovas
0 siblings, 1 reply; 5+ messages in thread
From: Chris Mason @ 2015-03-03 15:23 UTC (permalink / raw)
To: dsterba; +Cc: Quentin Casasnovas, Mark Fasheh, lkml, linux-btrfs
On Tue, Mar 3, 2015 at 9:38 AM, David Sterba <dsterba@suse.cz> wrote:
> Adding linux-btrfs to CC
>
> On Thu, Feb 26, 2015 at 05:00:37PM +0100, Quentin Casasnovas wrote:
>> Improper arithmetics when calculting the address of the extended
>> ref could
>> lead to an out of bounds memory read and kernel panic.
>>
>> Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
>
> Good catch.
Thanks Quentin, can you please bounce the patch to linux-btrfs so it'll
be in patchwork?
-chris
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
2015-03-03 15:23 ` Chris Mason
@ 2015-03-03 15:31 ` Quentin Casasnovas
2015-03-03 15:35 ` Chris Mason
0 siblings, 1 reply; 5+ messages in thread
From: Quentin Casasnovas @ 2015-03-03 15:31 UTC (permalink / raw)
To: linux-btrfs
Cc: linux-kernel, Mark Fasheh, Chris Mason, David Sterba,
Quentin Casasnovas
Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
---
fs/btrfs/tree-log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c
index 9a37f8b..c5b8ba3 100644
--- fs/btrfs/tree-log.c
+++ fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ again:
base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) {
- extref = (struct btrfs_inode_extref *)base + cur_offset;
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
--
2.0.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
2015-03-03 15:31 ` Quentin Casasnovas
@ 2015-03-03 15:35 ` Chris Mason
0 siblings, 0 replies; 5+ messages in thread
From: Chris Mason @ 2015-03-03 15:35 UTC (permalink / raw)
To: Quentin Casasnovas; +Cc: linux-btrfs, linux-kernel, Mark Fasheh, David Sterba
On Tue, Mar 3, 2015 at 10:31 AM, Quentin Casasnovas
<quentin.casasnovas@oracle.com> wrote:
> Improper arithmetics when calculting the address of the extended ref
> could
> lead to an out of bounds memory read and kernel panic.
>
> Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
> ---
> fs/btrfs/tree-log.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c
> index 9a37f8b..c5b8ba3 100644
> --- fs/btrfs/tree-log.c
> +++ fs/btrfs/tree-log.c
> @@ -1012,7 +1012,7 @@ again:
> base = btrfs_item_ptr_offset(leaf, path->slots[0]);
>
> while (cur_offset < item_size) {
> - extref = (struct btrfs_inode_extref *)base + cur_offset;
> + extref = (struct btrfs_inode_extref *)(base + cur_offset);
>
> victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
>
Thanks, this goes back to 3.7+ (Mark's original extref code). I'll tag
for stable and add Dave's reviewed by:
Reviewed-by: David Sterba <dsterba@suse.cz>
-chris
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-03-03 15:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-26 16:00 [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Quentin Casasnovas
2015-03-03 14:38 ` David Sterba
2015-03-03 15:23 ` Chris Mason
2015-03-03 15:31 ` Quentin Casasnovas
2015-03-03 15:35 ` Chris Mason
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox