Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2344977ybz;
        Thu, 23 Apr 2020 16:25:54 -0700 (PDT)
X-Google-Smtp-Source: APiQypJiOCABuE1eC1mIb1MFIzQ1Lt4HbyskNo4qfCwVKGsyQhGWpE5AsHLy1ryqvEFO6R0N2uj+
X-Received: by 2002:aa7:c983:: with SMTP id c3mr5149118edt.343.1587684354220;
        Thu, 23 Apr 2020 16:25:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587684354; cv=none;
        d=google.com; s=arc-20160816;
        b=n/WQzoyhtgDaZkdiy8WdIUMHaMBBMf6/RGhdzSHTUmtlWhmrtx4snSuiMIM+CatNXI
         NgaZrqsGh3i7gj7rHZBU4VLfTyZJebn+xHEPL0ovQLXxA66ucJr/Rc/VZ/6bq7+kWtgt
         yW8lQLn6ApWJVOCzZJRs7BNH3c42upb8JvryR/feBRUX1mD1RIL+UZT1mTBBu3hWpc0m
         nNdsMxmX4AxobxXv3W4TNvBr/rA0unPhUfsqjz3vYfzxxFX60KbZufqY3dOVH2of/jXY
         1OxyXCLMlOQnX1gYjbsTb+CUXjRAUrpYAUa/rKFgHP5nshGhcVUJ7BpvQ35VMOHX5Obz
         Bxgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=vI3A2+Jn33GpGSyFmvZD3XottvP8h5ko2nfUklq624k=;
        b=IY7kkR3bVvGo0HZz/i0Bjv5tMBhZYlyg4W5R6wyJ/ZfriLHnnCoVSkBHrqKZ+URVgy
         Vuyk6gYp8chZ0RfsGM3H9S8pA+Yfu845pTzH1Fk1SawX4mzGRBannypyYqxKQzB5sTnN
         CgyjY4VvrqtQ4FwLYdchHErRoqQM7JL5JmUsj9FxDTOYFL2VYhZn1pkGrDgZH+MKYnWN
         3spntKpcOG4Dzp9xX5duNxzOxZqT3aaYL/xcpx6Q1UfPgZizR/bkTbZLse9TJf2msdk0
         csBQ7te8uMC6081b3UNIKbQBQ4tB2ZbaRhPdVU3vOKZf8CUl0nvuSCc3Oi2RJNZdhrTh
         KFuA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z15si2094177eju.349.2020.04.23.16.25.30;
        Thu, 23 Apr 2020 16:25:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729777AbgDWXYM (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 23 Apr 2020 19:24:12 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48326 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728155AbgDWXGa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Apr 2020 19:06:30 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvK-0004ai-38; Fri, 24 Apr 2020 00:06:26 +0100
Received: from ben by deadeye with local (Exim 4.93)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvJ-00E6hF-2G; Fri, 24 Apr 2020 00:06:25 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "David Sterba" <dsterba@suse.com>,
        "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
        "Ben Hutchings" <ben.hutchings@codethink.co.uk>,
        "Nikolay Borisov" <nborisov@suse.com>,
        "Qu Wenruo" <quwenruo.btrfs@gmx.com>
Date:   Fri, 24 Apr 2020 00:04:26 +0100
Message-ID: <lsq.1587683028.78638430@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 039/245] btrfs: Check if item pointer overlaps with
 the item itself
In-Reply-To: <lsq.1587683027.831233700@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.83-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <quwenruo.btrfs@gmx.com>

commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream.

Function check_leaf() checks if any item pointer points outside of the
leaf, but it doesn't check if the pointer overlaps with the item itself.

Normally only the last item may be the victim, but adding such check is
never a bad idea anyway.

Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/disk-io.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -606,6 +606,13 @@ static noinline int check_leaf(struct bt
 			return -EUCLEAN;
 		}
 
+		/* Also check if the item pointer overlaps with btrfs item. */
+		if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) >
+		    btrfs_item_ptr_offset(leaf, slot)) {
+			CORRUPT("slot overlap with its data", leaf, root, slot);
+			return -EUCLEAN;
+		}
+
 		prev_key.objectid = key.objectid;
 		prev_key.type = key.type;
 		prev_key.offset = key.offset;