Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754306AbbBZP6v (ORCPT ); Thu, 26 Feb 2015 10:58:51 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:48302 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753404AbbBZP6u (ORCPT ); Thu, 26 Feb 2015 10:58:50 -0500 From: Quentin Casasnovas To: Mark Fasheh Cc: Quentin Casasnovas , lkml Subject: [PATCH] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref. Date: Thu, 26 Feb 2015 17:00:37 +0100 Message-Id: <1424966437-29795-1-git-send-email-quentin.casasnovas@oracle.com> X-Mailer: git-send-email 2.0.5 X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 977 Lines: 29 Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas --- fs/btrfs/tree-log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c index 9a37f8b..c5b8ba3 100644 --- fs/btrfs/tree-log.c +++ fs/btrfs/tree-log.c @@ -1012,7 +1012,7 @@ again: base = btrfs_item_ptr_offset(leaf, path->slots[0]); while (cur_offset < item_size) { - extref = (struct btrfs_inode_extref *)base + cur_offset; + extref = (struct btrfs_inode_extref *)(base + cur_offset); victim_name_len = btrfs_inode_extref_name_len(leaf, extref); -- 2.0.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/