Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp10786392imu; Thu, 6 Dec 2018 06:48:55 -0800 (PST) X-Google-Smtp-Source: AFSGD/WqXrkMJ9MOHKl8UrczoIvSaOT9WNd1Tx17sVN2FUb/S4GquO+FizEaS7zaXSjhVaFHvnsm X-Received: by 2002:a63:ec4b:: with SMTP id r11mr23726016pgj.44.1544107735784; Thu, 06 Dec 2018 06:48:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544107735; cv=none; d=google.com; s=arc-20160816; b=hWPpiAtukVoR5FKoRYBBHS7oExR5gtYEUfOEiyPfK5Ro1wQuIFi4+kvDfTPlgPuvmB VqoIRzxxpDW0rwhm2APSitzw0DjbtOavRQnP78xn2ew1ks4yrXJJJTM6z3hMkgAqn0h1 B+VMCOscq8+FEpVBCqaneFD5tivptZM0TKtyFZ38d1raLyIQoMwEq9V54RYsDIRRYAaG 5d4hSOvKmPJreyEaLKFkvIm5kDj/CmBbvUnv5CYeNc0AlV8Qya7+V7lu6zdV3tpaSxm5 DLA0tw02RVe7nSdKjzzNq84KewtW1kx9Gu1cj/k7a7TAOe/aH2dRThM5qFgPsoJ4v2+O exNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qmLp1hy4Dpx7Wqxjwds8+zIRzdPUwngVvKbYOVWWyy0=; b=p66OdyJ6Q1gwv1yQgH7Sy+Py1eBlsZbfjV4NKTrWaLye+RS4E9fTsbi2YZSrxjhoq9 5jVJhlYG9ALJWKplpOxGCf6f8nT/QX48id570tH4tfrr6/U6nq6+Qsox/a3mD6hniyte QrlelOutAN7Gvp7CLNIPx4tiMOq9xZuyoedeD/F25TZSU3uRjCeN740HIf8on4cCH29X txPcFxTqC1wjLj7AFy3sFRcdsvr8m7H8GGV8jxQPDpPi74mCRgZmXGBcNTlm/pIdyjFO 6X/ORjwgT5TfjCHEAx54riO00ghM0Zk+m01xiE83ffUXJS7An1cWwt2RrXoZjF4j68oo XlGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=thV+ixVB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h5si390223pgc.237.2018.12.06.06.48.39; Thu, 06 Dec 2018 06:48:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=thV+ixVB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731313AbeLFOqr (ORCPT + 99 others); Thu, 6 Dec 2018 09:46:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:51520 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730843AbeLFOqp (ORCPT ); Thu, 6 Dec 2018 09:46:45 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9732D214DB; Thu, 6 Dec 2018 14:46:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544107605; bh=AXjUXRs6rvA34829rkJfL+HTLqXPa9iLZCgnhhVfYcs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=thV+ixVBauMeLZKUpfzs5qNQjaxR0ezkW27bB7B2r/RhkEAohcZFSRVQ4H/U7mntm gpRTRp4rCd1qRDzwnb1yWo6YHH9LwbIgNgEFrhpzXxviyxq18THiTO7D+EJRgboTBJ MstbrdutfyXOFWgWccE33qI5qbrTVDIR8p2yGP74= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Nikolay Borisov , David Sterba , Ben Hutchings Subject: [PATCH 4.9 068/101] btrfs: Check if item pointer overlaps with the item itself Date: Thu, 6 Dec 2018 15:39:07 +0100 Message-Id: <20181206143015.734862750@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181206143011.174892052@linuxfoundation.org> References: <20181206143011.174892052@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Qu Wenruo commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream. Function check_leaf() checks if any item pointer points outside of the leaf, but it doesn't check if the pointer overlaps with the item itself. Normally only the last item may be the victim, but adding such check is never a bad idea anyway. Signed-off-by: Qu Wenruo Reviewed-by: Nikolay Borisov Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/disk-io.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -637,6 +637,13 @@ static noinline int check_leaf(struct bt return -EUCLEAN; } + /* Also check if the item pointer overlaps with btrfs item. */ + if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > + btrfs_item_ptr_offset(leaf, slot)) { + CORRUPT("slot overlap with its data", leaf, root, slot); + return -EUCLEAN; + } + prev_key.objectid = key.objectid; prev_key.type = key.type; prev_key.offset = key.offset;