From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Nikolay Borisov <nborisov@suse.com>,
David Sterba <dsterba@suse.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 3.18 076/101] btrfs: Fix out of bounds access in btrfs_search_slot
Date: Mon, 9 Apr 2018 00:41:35 +0000 [thread overview]
Message-ID: <20180409004042.164920-26-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180409004042.164920-1-alexander.levin@microsoft.com>
From: Nikolay Borisov <nborisov@suse.com>
[ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ]
When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then
the level variable is going to be 7 (this is the max height of the
tree). On the other hand btrfs_cow_block is always called with
"level + 1" as an index into the nodes and slots arrays. This leads to
an out of bounds access. Admittdely this will be benign since an OOB
access of the nodes array will likely read the 0th element from the
slots array, which in this case is going to be 0 (since we start CoW at
the top of the tree). The OOB access into the slots array in turn will
read the 0th and 1st values of the locks array, which would both be 0
at the time. However, this benign behavior relies on the fact that the
path being passed hasn't been initialised, if it has already been used to
query a btree then it could potentially have populated the nodes/slots arrays.
Fix it by explicitly checking if we are at level 7 (the maximum allowed
index in nodes/slots arrays) and explicitly call the CoW routine with
NULL for parent's node/slot.
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Fixes-coverity-id: 711515
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
fs/btrfs/ctree.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 39c68ef10808..c221d37e3ec9 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -2758,6 +2758,8 @@ again:
* contention with the cow code
*/
if (cow) {
+ bool last_level = (level == (BTRFS_MAX_LEVEL - 1));
+
/*
* if we don't really need to cow this block
* then we don't want to set the path blocking,
@@ -2782,9 +2784,13 @@ again:
}
btrfs_set_path_blocking(p);
- err = btrfs_cow_block(trans, root, b,
- p->nodes[level + 1],
- p->slots[level + 1], &b);
+ if (last_level)
+ err = btrfs_cow_block(trans, root, b, NULL, 0,
+ &b);
+ else
+ err = btrfs_cow_block(trans, root, b,
+ p->nodes[level + 1],
+ p->slots[level + 1], &b);
if (err) {
ret = err;
goto done;
--
2.15.1
next prev parent reply other threads:[~2018-04-09 0:41 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-09 0:41 [PATCH AUTOSEL for 3.18 051/101] scsi: sun_esp: fix device reference leaks Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 052/101] powerpc/fadump: avoid duplicates in crash memory ranges Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 053/101] libertas: Fix lbs_prb_rsp_limit_set() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 055/101] MIPS: CPS: Prevent multi-core with dcache aliasing Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 054/101] PCI: Enable ECRC only if device supports it Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 056/101] MIPS: Handle tlbex-tlbp race condition Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 057/101] arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 058/101] arm64: ptrace: Fix incorrect get_user() use in compat_vfp_set() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 059/101] x86/um: thin archives build fix Sasha Levin
2018-04-09 4:29 ` Nicholas Piggin
2018-04-15 15:02 ` Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 060/101] fs: warn in case userspace lied about modprobe return Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 061/101] ext4: change fast symlink test to not rely on i_blocks Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 062/101] irqchip/gic-v3: Honor forced affinity setting Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 064/101] firewire-ohci: work around oversized DMA reads on JMicron controllers Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 063/101] vmlfb: Fix error handling in cr_pll_init() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 065/101] ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 066/101] kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 067/101] tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 068/101] PCI: Add function 1 DMA alias quirk for Marvell 9128 Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 070/101] dm thin: fix documentation relative to low water mark threshold Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 069/101] tools lib traceevent: Fix get_field_str() for dynamic strings Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 071/101] nfs: Do not convert nfs_idmap_cache_timeout to jiffies Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 072/101] watchdog: sp5100_tco: Fix watchdog disable bit Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 073/101] kconfig: Don't leak main menus during parsing Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 074/101] kconfig: Fix automatic menu creation mem leak Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 075/101] kconfig: Fix expr_free() E_NOT leak Sasha Levin
2018-04-09 0:41 ` Sasha Levin [this message]
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 077/101] scsi: devinfo: fix format of the device list Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 078/101] scsi: fas216: fix sense buffer initialization Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 080/101] jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 079/101] HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 081/101] RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 082/101] ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 083/101] ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 084/101] mm/mempolicy: fix the check of nodemask from user Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 085/101] mm/mempolicy: add nodes_empty check in SYSC_migrate_pages Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 086/101] asm-generic: provide generic_pmdp_establish() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 087/101] mm: pin address_space before dereferencing it while isolating an LRU page Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 088/101] IB/ipoib: Fix for potential no-carrier state Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 089/101] x86/power: Fix swsusp_arch_resume prototype Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 090/101] firmware: dmi_scan: Fix handling of empty DMI strings Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 091/101] ACPI: processor_perflib: Do not send _PPC change notification if not ready Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 092/101] MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 093/101] xen/grant-table: Use put_page instead of free_page Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 095/101] cifs: silence compiler warnings showing up with gcc-8.0.0 Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 094/101] proc: fix /proc/*/map_files lookup Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 096/101] bcache: properly set task state in bch_writeback_thread() Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 097/101] bcache: fix for allocator and register thread race Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 098/101] bcache: fix for data collapse after re-attaching an attached device Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 099/101] bcache: return attach error when no cache set exist Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 101/101] irqchip/gic-v3: Change pr_debug message to pr_devel Sasha Levin
2018-04-09 0:41 ` [PATCH AUTOSEL for 3.18 100/101] nfsd: return RESOURCE not GARBAGE_ARGS on too many ops Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180409004042.164920-26-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=dsterba@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nborisov@suse.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).