Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2489099imm; Mon, 28 May 2018 09:03:15 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL+foRnyNvRXLOpbANr1kg1l/uh3sI5RqkHNw4GswwJGcA2y7H8pIzuqwsj17v7is4DnqOT X-Received: by 2002:a62:1013:: with SMTP id y19-v6mr2759540pfi.166.1527523395842; Mon, 28 May 2018 09:03:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527523395; cv=none; d=google.com; s=arc-20160816; b=biFJg+dIWTZklwOvA8bgkTtRk6r5e4TRayUs8zqMjlx2yusSgYZhgIBa/zZ/SkEc87 m9yGq7jXWZqZJKqFMOFwVcebssSUUj0H9oTPRkd/pY5NMb6h7sMVLEAI+0a+9MScCQhh YVfKf1zOUekUqNiGoCUugpzjMLW3tx6w1r2ULskRUNomHcY8HuzFT1uP+BhROaHfky0Z JWsC57LBontUolxpXFgzBDZrx3+uynAIRVqb/L7666CFE/xKlMTLlbLawmsiMZJHl6El nUU2hUCj3ArSUjvCDCdUobRvYAwdLIanZ4CsPlv0I7mkl+UDqM/UnSrphSeLRXVMeWlw FSGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=xcMzN+O8sc3pLTiAr8zo10XPcqphoo4f5d/Gl0beojg=; b=fqoYFUZfuPJG1kD5FPTs7cM+raqYxh/CpWgkpNADOgHrLVxNsjW2h3AQISFaLL8WMA qpoG0MMUmIVFdwr7xT6JQf6+0g5oGWuEWlRD9en3fP2RSCSIm/Xqu2rBwMaWKerd+SDt FHiPdYuYvhvD9LmzcXZrEuPBgqxFdHg6KlTXQpeXJzC21+n8g1t+E/VQnu0DngmyZ3GV EPJOm39Xn7DRQtHcievA/UvrYOqBJHqjtAz9VVvJMiXWCvIygatht77SgVRNnp1JPdPI 8ZzVbDmsDf0SHNwnOlhLlDjnxf9I0i+zs3pW5V3Im3L1AdwenVuqP/JHEDbQKwh+/B9W iGDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TVdPmhr1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h134-v6si31570960pfe.52.2018.05.28.09.03.01; Mon, 28 May 2018 09:03:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TVdPmhr1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932625AbeE1QB3 (ORCPT + 99 others); Mon, 28 May 2018 12:01:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:35826 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936841AbeE1KPl (ORCPT ); Mon, 28 May 2018 06:15:41 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D9F5C206B7; Mon, 28 May 2018 10:15:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502540; bh=hgrnx+r/9j/kzMggMmxPvg88aggwq3iIwPginZnJXQI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TVdPmhr1qfA1Z1VFIekAXgp5Puf+w0dtwCjDEjLNrQJp7lSdx2jzAyM9mMi5lbxNW HgQVyw3PddZoCd8g6pW5puLcVE6f9efqQ6f8mADbAym+OS1/QLMBw30j5+8rPtSP99 e7f1MVaCZEe+yxxMhxr0OD09OOF/pC9rRYGikNXM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nikolay Borisov , David Sterba , Sasha Levin Subject: [PATCH 4.4 037/268] btrfs: Fix out of bounds access in btrfs_search_slot Date: Mon, 28 May 2018 12:00:11 +0200 Message-Id: <20180528100206.271368919@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100202.045206534@linuxfoundation.org> References: <20180528100202.045206534@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nikolay Borisov [ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then the level variable is going to be 7 (this is the max height of the tree). On the other hand btrfs_cow_block is always called with "level + 1" as an index into the nodes and slots arrays. This leads to an out of bounds access. Admittdely this will be benign since an OOB access of the nodes array will likely read the 0th element from the slots array, which in this case is going to be 0 (since we start CoW at the top of the tree). The OOB access into the slots array in turn will read the 0th and 1st values of the locks array, which would both be 0 at the time. However, this benign behavior relies on the fact that the path being passed hasn't been initialised, if it has already been used to query a btree then it could potentially have populated the nodes/slots arrays. Fix it by explicitly checking if we are at level 7 (the maximum allowed index in nodes/slots arrays) and explicitly call the CoW routine with NULL for parent's node/slot. Signed-off-by: Nikolay Borisov Fixes-coverity-id: 711515 Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/ctree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2769,6 +2769,8 @@ again: * contention with the cow code */ if (cow) { + bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); + /* * if we don't really need to cow this block * then we don't want to set the path blocking, @@ -2793,9 +2795,13 @@ again: } btrfs_set_path_blocking(p); - err = btrfs_cow_block(trans, root, b, - p->nodes[level + 1], - p->slots[level + 1], &b); + if (last_level) + err = btrfs_cow_block(trans, root, b, NULL, 0, + &b); + else + err = btrfs_cow_block(trans, root, b, + p->nodes[level + 1], + p->slots[level + 1], &b); if (err) { ret = err; goto done;