Prior to commit c853a5783ebe ("btrfs: allocate
btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap
and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject
unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of
this when it was backported to kernel < 5.15.
Add a kfree on the error path for stable kernels that lack
commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on
stack").
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Fixes: 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args")
CC: [email protected]
Signed-off-by: Maximilian Heyne <[email protected]>
---
fs/btrfs/ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 049b837934e5..adc6c4f2b53c 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3195,6 +3195,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp)
}
if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) {
ret = -EOPNOTSUPP;
+ kfree(range);
goto out;
}
/* compression requires us to start the IO */
--
2.40.1
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote:
> Prior to commit c853a5783ebe ("btrfs: allocate
> btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap
> and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject
> unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of
> this when it was backported to kernel < 5.15.
>
> Add a kfree on the error path for stable kernels that lack
> commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on
> stack").
>
> This bug was discovered and resolved using Coverity Static Analysis
> Security Testing (SAST) by Synopsys, Inc.
Good catch, thanks.
The affected versions are as you say 4.19, 5.4, 5.15, the fixup is
sufficient and minimal fix, c853a5783ebe is reasonably safe for backport
too.
On Tue, Mar 19, 2024 at 07:57:11PM +0100, David Sterba wrote:
>
> On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote:
> > Prior to commit c853a5783ebe ("btrfs: allocate
> > btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap
> > and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject
> > unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of
> > this when it was backported to kernel < 5.15.
> >
> > Add a kfree on the error path for stable kernels that lack
> > commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on
> > stack").
> >
> > This bug was discovered and resolved using Coverity Static Analysis
> > Security Testing (SAST) by Synopsys, Inc.
>
> Good catch, thanks.
>
> The affected versions are as you say 4.19, 5.4, 5.15, the fixup is
I had a typo. Should go to 5.10 because c853a5783ebe is already in 5.15.
> sufficient and minimal fix, c853a5783ebe is reasonably safe for backport
> too.
I think you're right. To avoid divergence it might be better to simply
backport c853a5783ebe. Let me send this out.
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879