Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8120131imu; Tue, 4 Dec 2018 03:20:52 -0800 (PST) X-Google-Smtp-Source: AFSGD/UhGn7bdmFkTVh3ksnCjV0arVfaTqJw8wxqkznedHw/24hI5J8eR/X2IUJWWzJr2MBUnF5I X-Received: by 2002:a62:32c4:: with SMTP id y187mr20416112pfy.195.1543922452731; Tue, 04 Dec 2018 03:20:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543922452; cv=none; d=google.com; s=arc-20160816; b=tzvNjgqLnPTZqRKnxWCIYtukaC4Co7SSQH7cugR1WKQ1IfKWEdiIYE55LOlzqV86H+ GuslDW20k879q4ySJEZT9bOCC8aupZNf4pBAEp7azY7+8cT73T59vPqLBmrscHc//PfX g0e6t4LjFTMt3lJBIDS91en778NVRrS5RS+gZQHrnWvz4mWRoUmyrN+WKbOQjQuHsYI5 ft02QO1nxfFMvSnDM9M4Rftkrvh+8+bNs5qbaGmeFIzRTCZkyfLlWQdk5M9T5kqzGaLS 7kDw8McAJnNDQeOcrrdW1hjKxGrlAomQb3JujUOLksDNK2UbLVptECcFmlSBlHVTwcH1 SINA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1jQIYjjtCBAZ37USexxhFpqd5vFbCaC15T8DcRBWZ0Y=; b=BeH6eO+Xe2V8gdSKy++uQ9PSuFARJ0wJl36KEY3MzvYIcvO2y/HxMk8ScgvWaWRhzk jhamsm/bKKnKuvVoop+F4B511S1K0LpcIZd3N5XM1OY8uNFKzj9XNlUizbSMUfRS+q7Y cDhrVLdr+5rMnXQaimVZiqtaN8L+odjH86TZTZc6aAxuunHqQeha/M+kXTq0kqsoHAzI wkcNR0bznbXQ2mBA+vQCZt5D7qHrBaJ3/2Lw9Q05bKlH8rvSV3patz5r9qo/qSrj/lpN OvRhOlwqzyEqNpdAwLjsV6j5oHiLyzAA7yo32lmJdNUUZpUCNxNuijGrycyRJEu89mJ/ gRyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oblfMerf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id be9si16826767plb.143.2018.12.04.03.20.38; Tue, 04 Dec 2018 03:20:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oblfMerf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727866AbeLDLDs (ORCPT + 99 others); Tue, 4 Dec 2018 06:03:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:50338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727856AbeLDLDo (ORCPT ); Tue, 4 Dec 2018 06:03:44 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 21C582146D; Tue, 4 Dec 2018 11:03:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543921423; bh=5KOl8uQoSPF7mVmyZcLt/dBYcsR9OL9FMAeedj+quDQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oblfMerfeIIbpDcyK3ttoaku81aS677gjln1h8cNhMJ7D3MaJr3WrOlgW2Qb/6Dm5 VtaWkPCnBv8DjvnS59VtoSSd5jM1KjG50HLpbpxCiNGrUCsv9Wm0FP+28yhq975332 Zg5dgDsZRZnkuaL3UnnM0yujAhviKuIylrHIn7BI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Nikolay Borisov , David Sterba , Ben Hutchings , Sasha Levin Subject: [PATCH 4.14 030/146] btrfs: Check if item pointer overlaps with the item itself Date: Tue, 4 Dec 2018 11:48:36 +0100 Message-Id: <20181204103728.071424574@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181204103726.750894136@linuxfoundation.org> References: <20181204103726.750894136@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream. Function check_leaf() checks if any item pointer points outside of the leaf, but it doesn't check if the pointer overlaps with the item itself. Normally only the last item may be the victim, but adding such check is never a bad idea anyway. Signed-off-by: Qu Wenruo Reviewed-by: Nikolay Borisov Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin --- fs/btrfs/disk-io.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 4a1e63df1183..da7b2039e4cb 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -644,6 +644,13 @@ static noinline int check_leaf(struct btrfs_root *root, return -EUCLEAN; } + /* Also check if the item pointer overlaps with btrfs item. */ + if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > + btrfs_item_ptr_offset(leaf, slot)) { + CORRUPT("slot overlap with its data", leaf, root, slot); + return -EUCLEAN; + } + prev_key.objectid = key.objectid; prev_key.type = key.type; prev_key.offset = key.offset; -- 2.17.1