Received: by 10.213.65.68 with SMTP id h4csp2117275imn; Sun, 8 Apr 2018 20:08:17 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+RouwizoGpOrZwSkLlVLwNafU9KwdT9nZ82LGo7MRFi2P4sNtnbSvi5G7/CY0GNNcrCBL4 X-Received: by 2002:a17:902:988d:: with SMTP id s13-v6mr12839820plp.30.1523243297014; Sun, 08 Apr 2018 20:08:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523243296; cv=none; d=google.com; s=arc-20160816; b=gWRiP8BgA19Gvp0HfQ93SygvBiVG/ztwPF8vrWKPRKJxg7cimiR/oz78ytONkwuWWb NGEjvBKtw+w9tgDAkdEbHLBZ1wrJlJ8BfunuF/cNnZJhBasXMpOxxRDXN3bB2013PCcd VvmpTVjzX5kLalP+8MhVfM1+D4LSvs8CIRl1K83M1iVeoUMYGQieh5Sw/rTKZxIUfMo6 LyFJI6+GNHF6FJEgeGunebxQoIZok0EhVY/XIYqkaE43PmBpUzo+EvEGwSzhinUAONSG F5rhQoZ9uXTPU8Sk8NalR2BlIlR3A+3zX/a8Hb+Gc2gBhF8uuF8Xq7HvPYWAZVUQ8grN CAgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=tTLGaCOa+THvW8xiLsAWwzzbaZK+QEc4chGdziZk3I4=; b=OVT31WffxskFERc3lt3/kEyqQ3QmhBnM6lBlllmVRxNO2Ky0jzJYyL9gtm0IsKfPef F1kHKsNX4pV1q0vIby6FIUlw8CyUr7Jm+apL9/W/LRINK3/m7Yh1+sGKYPJLIZZTNJC6 YEsEDnql56UD0Nl7FplTS0ETz8eAiPect6NmkUGbje6kkE5UkO7ioaiejy1Z37yJ67Pk MkRw05LcTXxCV1P1iNdMYdAy3DsRojGUmQAoHMYv8uY6RPkMdQfQZkyBZdHez6C5u2Fd RSyixZo7r7AgOn1iw94MHVO1WynAob+4C1foXe+u3+1r9hf6w+SbpgySGUxdb5D/pjv5 SlQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=VkdsTSUm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x17si5122751pfk.288.2018.04.08.20.07.39; Sun, 08 Apr 2018 20:08:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=VkdsTSUm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757545AbeDIBxs (ORCPT + 99 others); Sun, 8 Apr 2018 21:53:48 -0400 Received: from mail-sn1nam01on0094.outbound.protection.outlook.com ([104.47.32.94]:49836 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932230AbeDIAdP (ORCPT ); Sun, 8 Apr 2018 20:33:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tTLGaCOa+THvW8xiLsAWwzzbaZK+QEc4chGdziZk3I4=; b=VkdsTSUmQTj6NPgcdS+Ph7Log6AcZ73XAgN6vqwzszdlN3AsUw/NSk1vFEZQIcxP/HBk5m0+f3/iBe3j3g1ItA6K6MLlmbqplKiQN+WhhKbtqxihhAzrT0FCwOocW+3WMyQFvqmDIWIOWlSpHCiVGJoDvTyiCO8fZcAeUq55T3o= Received: from DM5PR2101MB1032.namprd21.prod.outlook.com (52.132.128.13) by DM5PR2101MB0902.namprd21.prod.outlook.com (52.132.132.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.696.0; Mon, 9 Apr 2018 00:33:08 +0000 Received: from DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059]) by DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059%2]) with mapi id 15.20.0696.003; Mon, 9 Apr 2018 00:33:08 +0000 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Nikolay Borisov , David Sterba , Sasha Levin Subject: [PATCH AUTOSEL for 4.9 238/293] btrfs: Fix out of bounds access in btrfs_search_slot Thread-Topic: [PATCH AUTOSEL for 4.9 238/293] btrfs: Fix out of bounds access in btrfs_search_slot Thread-Index: AQHTz5lVH22Uvif2LkCQ195dTVhXKQ== Date: Mon, 9 Apr 2018 00:25:58 +0000 Message-ID: <20180409002239.163177-238-alexander.levin@microsoft.com> References: <20180409002239.163177-1-alexander.levin@microsoft.com> In-Reply-To: <20180409002239.163177-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;DM5PR2101MB0902;7:y1XS+FL2Ubfy1r+jkW5WNUkcU/OAJHWAq1M+05sL5QWqiFOdv1GhOtKHp60VboHjwB6DuHjRKhywse8Ii3bAURAWS1Sh5R6rhFLSVG5UbFH/FSpA0rMIz2pgk8wSE2pl/LO79Dk7iFHMRdV9X8Ecr72N/ttFqHV8OSg6GXAVI1FIkMZCfKRg8OpBbQnCBqaXyAYkeVyB0L3X1MbtITUqQ4EiIpBcyxFsunilqjOq1gfHNOwyHVxye4pyqWkLxhUM;20:SPdyoX8HJnsj4PyAJFVcL2Xt/Yt1lgzjmt7W9PdejkDKSNhjJHK0TdtVLM/xeb+vhqiUneKohtLJDtOK0qKiRLn1Q10/C7zl4ulwPBsY1OkoM/cZPeREUjbvpvDOygU/ajyrbCyk6PbWl1X0jxgYzLmkMhNlVOcOzoHMFSumeoM= x-ms-office365-filtering-ht: Tenant X-MS-Office365-Filtering-Correlation-Id: e4adafa9-01e0-41d3-485a-08d59db177bb x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020);SRVR:DM5PR2101MB0902; x-ms-traffictypediagnostic: DM5PR2101MB0902: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231221)(944501327)(52105095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011);SRVR:DM5PR2101MB0902;BCL:0;PCL:0;RULEID:;SRVR:DM5PR2101MB0902; x-forefront-prvs: 0637FCE711 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(376002)(396003)(39860400002)(39380400002)(346002)(199004)(189003)(5660300001)(478600001)(86612001)(3846002)(6116002)(106356001)(25786009)(6486002)(72206003)(10290500003)(8936002)(6436002)(76176011)(2616005)(6506007)(2900100001)(97736004)(26005)(486006)(10090500001)(36756003)(81166006)(8676002)(81156014)(59450400001)(102836004)(2906002)(99286004)(11346002)(476003)(3660700001)(66066001)(6512007)(86362001)(53936002)(105586002)(186003)(5250100002)(14454004)(22452003)(6666003)(2501003)(446003)(7736002)(316002)(1076002)(110136005)(3280700002)(68736007)(54906003)(107886003)(4326008)(305945005)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR2101MB0902;H:DM5PR2101MB1032.namprd21.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: dMtu+Pbq1SuEOK7H+DRkrbonmOOejF8Rj+x7iyYXCNJspYdZdhU6oqZkwYnb9LGbaGg0R/hM1McyltJ8hCn1KjbQedekkk7B3HC2OjcTuUWoXoLHuUgCPiKhxXAGf83TkTbLFbAdO6+96i+lBzJtHpeRQ7XBLlutlxL9m1dEIrHrOeSzFIdkJlr9vy1wPcRAuSaEy1BYb3ikshG+2dBCbso1IUy7pJbwxuR0PyuIVCaFa8/k/gmy6w/Xvyr5+Dv0rPXXDqeGGvXn6It7BQm9qRx3hlhPxBY/nOvHzMSvTg7aSVZuDzHTdev8XS2V3ekSpIlHCl/epe/QbwsxSkcXhW2xCuKfIyZrmEntCTabxJ5q2+hAy8Qvxd5Kb57ZJndLxocc4BGaWIuUB2DweE8zgEqUPh9JXJlqByCmrtqfxnU= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: e4adafa9-01e0-41d3-485a-08d59db177bb X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 00:25:58.8005 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB0902 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nikolay Borisov [ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then the level variable is going to be 7 (this is the max height of the tree). On the other hand btrfs_cow_block is always called with "level + 1" as an index into the nodes and slots arrays. This leads to an out of bounds access. Admittdely this will be benign since an OOB access of the nodes array will likely read the 0th element from the slots array, which in this case is going to be 0 (since we start CoW at the top of the tree). The OOB access into the slots array in turn will read the 0th and 1st values of the locks array, which would both be 0 at the time. However, this benign behavior relies on the fact that the path being passed hasn't been initialised, if it has already been used to query a btree then it could potentially have populated the nodes/slots arra= ys. Fix it by explicitly checking if we are at level 7 (the maximum allowed index in nodes/slots arrays) and explicitly call the CoW routine with NULL for parent's node/slot. Signed-off-by: Nikolay Borisov Fixes-coverity-id: 711515 Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/ctree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index f6ba165d3f81..f22ffc6793cd 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2760,6 +2760,8 @@ again: * contention with the cow code */ if (cow) { + bool last_level =3D (level =3D=3D (BTRFS_MAX_LEVEL - 1)); + /* * if we don't really need to cow this block * then we don't want to set the path blocking, @@ -2784,9 +2786,13 @@ again: } =20 btrfs_set_path_blocking(p); - err =3D btrfs_cow_block(trans, root, b, - p->nodes[level + 1], - p->slots[level + 1], &b); + if (last_level) + err =3D btrfs_cow_block(trans, root, b, NULL, 0, + &b); + else + err =3D btrfs_cow_block(trans, root, b, + p->nodes[level + 1], + p->slots[level + 1], &b); if (err) { ret =3D err; goto done; --=20 2.15.1