From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932371AbbCCPgG (ORCPT ); Tue, 3 Mar 2015 10:36:06 -0500 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:35143 "EHLO mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756958AbbCCPgE (ORCPT ); Tue, 3 Mar 2015 10:36:04 -0500 Date: Tue, 3 Mar 2015 10:35:53 -0500 From: Chris Mason Subject: Re: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref. To: Quentin Casasnovas CC: , , Mark Fasheh , David Sterba Message-ID: <1425396953.29552.3@mail.thefacebook.com> In-Reply-To: <1425396698-31009-1-git-send-email-quentin.casasnovas@oracle.com> References: <1425396236.29552.2@mail.thefacebook.com> <1425396698-31009-1-git-send-email-quentin.casasnovas@oracle.com> X-Mailer: geary/0.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed X-Originating-IP: [192.168.16.4] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-03-03_05:2015-03-03,2015-03-03,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=0 compositescore=0.977430438882501 suspectscore=0 recipient_domain_to_sender_totalscore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.977430438882501 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=0 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.977430438882501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1503030168 X-FB-Internal: deliver Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 3, 2015 at 10:31 AM, Quentin Casasnovas wrote: > Improper arithmetics when calculting the address of the extended ref > could > lead to an out of bounds memory read and kernel panic. > > Signed-off-by: Quentin Casasnovas > --- > fs/btrfs/tree-log.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c > index 9a37f8b..c5b8ba3 100644 > --- fs/btrfs/tree-log.c > +++ fs/btrfs/tree-log.c > @@ -1012,7 +1012,7 @@ again: > base = btrfs_item_ptr_offset(leaf, path->slots[0]); > > while (cur_offset < item_size) { > - extref = (struct btrfs_inode_extref *)base + cur_offset; > + extref = (struct btrfs_inode_extref *)(base + cur_offset); > > victim_name_len = btrfs_inode_extref_name_len(leaf, extref); > Thanks, this goes back to 3.7+ (Mark's original extref code). I'll tag for stable and add Dave's reviewed by: Reviewed-by: David Sterba -chris