Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2169713imm; Mon, 28 May 2018 03:07:32 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLajRXrA+hoLYvB3lZS6cFCrqbNX0y4TWt8VYeKo/gbX5VfEV2+LUf8I6Dp8Dua2qTFp30t X-Received: by 2002:a17:902:bd8f:: with SMTP id q15-v6mr3399032pls.161.1527502052191; Mon, 28 May 2018 03:07:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527502052; cv=none; d=google.com; s=arc-20160816; b=jqIoD4b1+v1Q7QB8/QbDqIDw83tvg0UVC4R9wCyIkMlxgPOXSvXQgpyJbWvtrXmtDi ocL+WYUX7RbqbgmHBxsbbRcN7AcxJEuWSZXBJ+pPqV616B+AwIMCQXn4EScOv+ixUkpa ntzKCkz4sLm6VQaRj7erxOptwIzuqv7Nd5rnMVvFd4kmO5Rg/aYBQXXNQfnnYtJ++8S5 d7FJxkgOL6cYBTDkhU4svMXyvsL3sS3tQA5qoVhJZ6wWd00DifUkhRd8AyNw4EyYSJy0 WyAhs6oJfR6BX5wpB/YxyajND1rkYfLOu8UtDo1G3QqcVgBhu/hEJkChjPB6uEzicrDq 8OYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=jQuEQppQHSm21oLrcUp7INrWpAsx+Z1lAqcsd5fi6x4=; b=lkY/eXDUkN0l78yfBArL28SlKlG/L41Cdl8C3zw5LDTpZ5Q3Z6CQyEJVRniT62Z/R3 Wfj6rjoUL6b3PcMhyiPW9oF9zDZBvHkcJ7X0TxbPAY9m4AXz6gcUlJGaWTJvSF4L07BO JWTzZI1dbWau8F31kTh8zYZcld08lGqXfKFohbvjfnD91f03R4Gn6QHlQ5YHfVU3SIGE 96PkiANy6dKpEfzLgBfIVPrKNeO5hhnLfWMK9f5EukiRUwmxS4b6UJ8fgnLIepqKkK1R YPxHKJjD3u6siRe+rnETwleGWOgo6dt2sydcny80fbwTUGZ1djh8yMzE8as4UHy/6YLj t5zA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QUXo9sVi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4-v6si29866871plp.219.2018.05.28.03.07.17; Mon, 28 May 2018 03:07:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QUXo9sVi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754742AbeE1KGm (ORCPT + 99 others); Mon, 28 May 2018 06:06:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:54540 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754549AbeE1KGg (ORCPT ); Mon, 28 May 2018 06:06:36 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 39F1E2089D; Mon, 28 May 2018 10:06:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527501995; bh=CU+jynpbgF+eDsEsALxQfqhjklCJkJXquTxc4DZopFs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QUXo9sVi6B5yzyLF6TIY6JBWxMLZ88aaS8WdVuKL568pm2chlbDvRXcjyz6nROpwr XeK0I9ze5B794QsF8w8bNHpJjNh/9aHbzrqukifmi8MQpJBmWTEnEGMbNia1dbgwOg BLpE4+fCwF+44Pw9gbyUMYqWdXMS0ATOwNgQXnz8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Borisov , David Sterba , Sasha Levin Subject: [PATCH 3.18 022/185] btrfs: Fix out of bounds access in btrfs_search_slot Date: Mon, 28 May 2018 12:01:03 +0200 Message-Id: <20180528100051.874462233@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100050.700971285@linuxfoundation.org> References: <20180528100050.700971285@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nikolay Borisov [ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then the level variable is going to be 7 (this is the max height of the tree). On the other hand btrfs_cow_block is always called with "level + 1" as an index into the nodes and slots arrays. This leads to an out of bounds access. Admittdely this will be benign since an OOB access of the nodes array will likely read the 0th element from the slots array, which in this case is going to be 0 (since we start CoW at the top of the tree). The OOB access into the slots array in turn will read the 0th and 1st values of the locks array, which would both be 0 at the time. However, this benign behavior relies on the fact that the path being passed hasn't been initialised, if it has already been used to query a btree then it could potentially have populated the nodes/slots arrays. Fix it by explicitly checking if we are at level 7 (the maximum allowed index in nodes/slots arrays) and explicitly call the CoW routine with NULL for parent's node/slot. Signed-off-by: Nikolay Borisov Fixes-coverity-id: 711515 Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/ctree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2758,6 +2758,8 @@ again: * contention with the cow code */ if (cow) { + bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); + /* * if we don't really need to cow this block * then we don't want to set the path blocking, @@ -2782,9 +2784,13 @@ again: } btrfs_set_path_blocking(p); - err = btrfs_cow_block(trans, root, b, - p->nodes[level + 1], - p->slots[level + 1], &b); + if (last_level) + err = btrfs_cow_block(trans, root, b, NULL, 0, + &b); + else + err = btrfs_cow_block(trans, root, b, + p->nodes[level + 1], + p->slots[level + 1], &b); if (err) { ret = err; goto done;