Received: by 10.213.65.68 with SMTP id h4csp2153751imn; Sun, 8 Apr 2018 21:06:02 -0700 (PDT) X-Google-Smtp-Source: AIpwx48NJG6b3dVzydAuXbPcUnFs2gghzwEZYoz1GGMPpI6UPO4RZT9qTIhIZOpuLX2F+p1OVMY6 X-Received: by 10.98.10.131 with SMTP id 3mr28096543pfk.112.1523246762880; Sun, 08 Apr 2018 21:06:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523246762; cv=none; d=google.com; s=arc-20160816; b=E1dVeGgCI8/ko4yqDXTBSbpBa/5qeSvSLQb7k98J7bD8/JeOhk9G0/2++rH6DBugE0 IAeMn4244IMbgmPvHibpXOadO2xxE3JnQMgMigRkLtcxYOrRtKaMaz3MJGE2j2IhH9YO kHULSCglY1HFYq41xuGSUM4SdULFwmGHqm9Y4tbWtqR7S04zEk2AY/WsmSY0VI4PPN77 ySCUTS3cj99SBtkUD3UNIHMc/r6VNALe0zc3ocMy7ykE1VyjnM5qV0b04d0ImFsGLzPG Jno7F+jaogke0bBaCtfJiXoaH+ShrEvXafeaIsgWk0vmulGBwcFrJcOFwECousND3dNp qFhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=RitbNNY9S5rtn3jrihg+7MOd7yn8m+UQurnrhqJloZ8=; b=zlX56E2cAGDkJ5xLiGu8EXsql2+VKDqiOpZpZR0zUQ3NjOofiuhyq46Hzz8qDWNquv T1nHqH+DsUSL+wi6T7ONN+NiJPFZZNvpK1GG+nvCQnX7/IvAhKQZnlw7vVpP1Tf5KVdZ Nj6c9P41LDGnavPOfMkU+FWJVZvbkLRdhEOAdf29MOb0z7c0hUNLLDtnq4Qc81iOLlMh ca+aU4EsIDyUpY7gnrIP3+jMVVBF3RtT69bOlps4H+5UuF+qG/556trFEiE9zNqVfahT zR7kZq3ssroNzoGwUQtOS8Z/A/miB3W5S2gH1fpO9oqrA6dTgD8mk41vQH56b67D+FeT a3wg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=Ox6H3Nnc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l137si10642395pga.465.2018.04.08.21.05.25; Sun, 08 Apr 2018 21:06:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=Ox6H3Nnc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752883AbeDIEAd (ORCPT + 99 others); Mon, 9 Apr 2018 00:00:33 -0400 Received: from mail-co1nam03on0109.outbound.protection.outlook.com ([104.47.40.109]:37278 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753599AbeDIASc (ORCPT ); Sun, 8 Apr 2018 20:18:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RitbNNY9S5rtn3jrihg+7MOd7yn8m+UQurnrhqJloZ8=; b=Ox6H3Nnck294zWdj5Z4nHTx32ltqQTzcFT6jVkK814rLTwT3P9ctTZhxNdwwyWUJ3qzOTPv1VYxTQ/EmoFemxSgKmVrq1fafcSorU3Tqt+Eyp/AMGevjZ8aIwJHNm+cPz5SOYIJq1t149V7EPGWg/2aD+naGSYeAbFs3sqmY1Co= Received: from DM5PR2101MB1032.namprd21.prod.outlook.com (52.132.128.13) by DM5PR2101MB1046.namprd21.prod.outlook.com (52.132.128.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.696.0; Mon, 9 Apr 2018 00:18:28 +0000 Received: from DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059]) by DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059%2]) with mapi id 15.20.0696.003; Mon, 9 Apr 2018 00:18:28 +0000 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Nikolay Borisov , David Sterba , Sasha Levin Subject: [PATCH AUTOSEL for 4.15 062/189] btrfs: Fix out of bounds access in btrfs_search_slot Thread-Topic: [PATCH AUTOSEL for 4.15 062/189] btrfs: Fix out of bounds access in btrfs_search_slot Thread-Index: AQHTz5go0EZDqiGBZ0KktMShoQ7aeg== Date: Mon, 9 Apr 2018 00:17:34 +0000 Message-ID: <20180409001637.162453-62-alexander.levin@microsoft.com> References: <20180409001637.162453-1-alexander.levin@microsoft.com> In-Reply-To: <20180409001637.162453-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;DM5PR2101MB1046;7:VbbaBvg7cqQhDKsvQIs49IvSSZpn/f7gKvC1qFpMxHz2Gt+CnAO0COhEXHQwa4PiSf763w6ztiHBuaXDsf7WTTNXsus3CWx0oh/R2Tc3fPOwubtdaeETzRk54JofqErajbuCwBjJ9PJKhurjr83Hh1OYSkMnbr7QkBSaBTooon7mimimrPV3aLN1GfRAerQn0DFA3uygldmWYnutsmxG0SE/lY+1EHIJUBoZ/IVb2WvmORqeVpq3VoZCh+2mCJNR;20:DLLaOTCjIYtoF4LLuzFZ2EG+ZNWOEywPGNhSKvpHKYJAuy1GP9y/a0/9I1ggJmPFgi4Qs5gQappS9GAm7PAEfBC38EseG3fvaQoY1EHf+qN3rpvOSjfl18aycSAcGzWaRp+WBgZnGw28i9a+LqItq6ta6/8FzpXcRNYHY0KP76c= X-MS-Office365-Filtering-Correlation-Id: f32cbb45-9a52-4516-7177-08d59daf6b0a x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(48565401081)(2017052603328)(7193020);SRVR:DM5PR2101MB1046; x-ms-traffictypediagnostic: DM5PR2101MB1046: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(10201501046)(3002001)(93006095)(93001095)(6055026)(61426038)(61427038)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(6072148)(201708071742011);SRVR:DM5PR2101MB1046;BCL:0;PCL:0;RULEID:;SRVR:DM5PR2101MB1046; x-forefront-prvs: 0637FCE711 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(346002)(376002)(396003)(366004)(39860400002)(199004)(189003)(36756003)(186003)(11346002)(446003)(476003)(2616005)(7736002)(5660300001)(26005)(10290500003)(478600001)(106356001)(6666003)(68736007)(10090500001)(54906003)(3846002)(59450400001)(22452003)(6116002)(86612001)(110136005)(99286004)(86362001)(72206003)(305945005)(76176011)(102836004)(6506007)(486006)(316002)(3280700002)(3660700001)(81166006)(81156014)(8676002)(2906002)(14454004)(2900100001)(97736004)(6486002)(8936002)(1076002)(6512007)(6436002)(105586002)(25786009)(4326008)(2501003)(5250100002)(53936002)(66066001)(107886003)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR2101MB1046;H:DM5PR2101MB1032.namprd21.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 5c1QOct2n0TOSz3kOpbuKR05oz1YxMWOvTg2qiOgQwWt+tp56uq8G3u5eruwbcFPCEUDoePBhpt80jK+QTW+S9AoDVPJsaHe1ngNOJdfccdY2BDSu+Yw0V7V257N8n4+3WVe+4i/0h5yxs6RgqG6pHONENJ7zyHI31IUr+Q+A2Bk/Zy0qL+jnt3VzHXI+acA6N73ZZ0KpDdMF7tjrBiGA//+jm7ykq90hathp1wfjKU7ZoV7pEpj3Q4znZrCGQDqcfssArJv1yxlZOobSheezyD+pXkhkRFuowKTqiLPZvOO8Y/hsXteV5j4r9G+2Gz3NE22JdtKu0ZUFzAOdse1cUTJrj1mWjqSxWosr6wyOil7t4YBvVp1x6JBnHDlpQ+0GLOOfiqeghrpDMXEai+/ZXQYOC+6M90N0sIxZxJ8OEo= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: f32cbb45-9a52-4516-7177-08d59daf6b0a X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 00:17:34.2747 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB1046 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nikolay Borisov [ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then the level variable is going to be 7 (this is the max height of the tree). On the other hand btrfs_cow_block is always called with "level + 1" as an index into the nodes and slots arrays. This leads to an out of bounds access. Admittdely this will be benign since an OOB access of the nodes array will likely read the 0th element from the slots array, which in this case is going to be 0 (since we start CoW at the top of the tree). The OOB access into the slots array in turn will read the 0th and 1st values of the locks array, which would both be 0 at the time. However, this benign behavior relies on the fact that the path being passed hasn't been initialised, if it has already been used to query a btree then it could potentially have populated the nodes/slots arra= ys. Fix it by explicitly checking if we are at level 7 (the maximum allowed index in nodes/slots arrays) and explicitly call the CoW routine with NULL for parent's node/slot. Signed-off-by: Nikolay Borisov Fixes-coverity-id: 711515 Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/ctree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 1e74cf826532..5361f69433a3 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2774,6 +2774,8 @@ again: * contention with the cow code */ if (cow) { + bool last_level =3D (level =3D=3D (BTRFS_MAX_LEVEL - 1)); + /* * if we don't really need to cow this block * then we don't want to set the path blocking, @@ -2798,9 +2800,13 @@ again: } =20 btrfs_set_path_blocking(p); - err =3D btrfs_cow_block(trans, root, b, - p->nodes[level + 1], - p->slots[level + 1], &b); + if (last_level) + err =3D btrfs_cow_block(trans, root, b, NULL, 0, + &b); + else + err =3D btrfs_cow_block(trans, root, b, + p->nodes[level + 1], + p->slots[level + 1], &b); if (err) { ret =3D err; goto done; --=20 2.15.1