Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp797642pxb; Tue, 3 Nov 2020 12:49:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVmVd0x4enyNOHFOVRt78pHJlfUi95+S+74ucK3H7Z1GaEZAKigmpsG15GAFGuXYWb6qKA X-Received: by 2002:a17:906:c298:: with SMTP id r24mr15591487ejz.76.1604436566857; Tue, 03 Nov 2020 12:49:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604436566; cv=none; d=google.com; s=arc-20160816; b=ok8HqnTU31KvkFUrSXYTY1MBMRQK/o0lNO1JJWtaU6mjtpXZsBAX4CRN0APU5qpvem EE5XoLIll2UBoxijJXtvbU/dMkOlAy7c6icjDKUwMv1l7Foew/DGpGpf00NSFmWKyA5h yrR+dyU2T3QhL5UQdPpLN5xEC/0WkfRjrRupNlETcOeVaFjEK1pFAsUj0fP3CGWbey9n sBJV08zyOJrbLJ8QTLpF4m+hAi90IykFQL2FWn/3olvMXLsmehKiw/7wT+GBYn7S7fWC 1VASuZHtlSDtgFg6iRC1WY3s7SfStbmMsosp/FBV/b7mJBKFQc9q9YmWSdG/+lPKQMHB RVNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=szZ4anPP47acJV64jwS+YXfriOEd3mIx1RVEL8bk3mg=; b=oonUjoFIBUxbvxViWmWilJeP8gLAguE6QdLz0woIZBRClPhMd8teZymb0ZFLG28Z5n Bz2tN4ET4D0leC7ujiaiVCIPzkXX6u7OaaU/z1RQB4uZrkX5zN5XF5TLnqV6FmclvmJL lU7HTXOkUUiZiEYzDopXcV3uYm1HlkCpRroF9vB8PVnvWMUYCu63cX94BAMyVhWu6zeC PjMoHaJNANt561O4KhYJFTR/wYtOYd8F6agT0eGQ1UWaBDYiL1iHChgD1EnmPs3BSI4e buf+CJg9od+K3tiAEOIpI+jEntux9vFFFNULDqYjrJ2lCqXeM8Ememh7OUrRGxC05OpZ zGQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="0K/bkMke"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si6531ejx.130.2020.11.03.12.49.03; Tue, 03 Nov 2020 12:49:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="0K/bkMke"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731246AbgKCUqn (ORCPT + 99 others); Tue, 3 Nov 2020 15:46:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:36230 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731236AbgKCUqj (ORCPT ); Tue, 3 Nov 2020 15:46:39 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1D2A5223EA; Tue, 3 Nov 2020 20:46:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604436398; bh=LrL2hUMxEaEKJYEUBvA82iiTiX2vLLh7jPrrMNmlt5c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0K/bkMke5pCsmBpea+X1I/ZCg7pfpsZ7iZX1K30i6hvb+euRdsMhZb4g65g6UHt5S Co0hdMGa/bdAgV7IKpARMkPNoS4uRLVrzKOih9BGpVEZEFlrzpB/RX+STxSy9ZsPqa pwFfkKXleNUXVufXSw8Of+3Vxp5K3PJgBCCEAqbw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Daniel Xu , David Sterba Subject: [PATCH 5.9 234/391] btrfs: tree-checker: validate number of chunk stripes and parity Date: Tue, 3 Nov 2020 21:34:45 +0100 Message-Id: <20201103203402.782767594@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203348.153465465@linuxfoundation.org> References: <20201103203348.153465465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Xu commit 85d07fbe09efd1c529ff3e025e2f0d2c6c96a1b7 upstream. If there's no parity and num_stripes < ncopies, a crafted image can trigger a division by zero in calc_stripe_length(). The image was generated through fuzzing. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209587 Signed-off-by: Daniel Xu Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/tree-checker.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -760,18 +760,36 @@ int btrfs_check_chunk_valid(struct exten u64 type; u64 features; bool mixed = false; + int raid_index; + int nparity; + int ncopies; length = btrfs_chunk_length(leaf, chunk); stripe_len = btrfs_chunk_stripe_len(leaf, chunk); num_stripes = btrfs_chunk_num_stripes(leaf, chunk); sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk); type = btrfs_chunk_type(leaf, chunk); + raid_index = btrfs_bg_flags_to_raid_index(type); + ncopies = btrfs_raid_array[raid_index].ncopies; + nparity = btrfs_raid_array[raid_index].nparity; if (!num_stripes) { chunk_err(leaf, chunk, logical, "invalid chunk num_stripes, have %u", num_stripes); return -EUCLEAN; } + if (num_stripes < ncopies) { + chunk_err(leaf, chunk, logical, + "invalid chunk num_stripes < ncopies, have %u < %d", + num_stripes, ncopies); + return -EUCLEAN; + } + if (nparity && num_stripes == nparity) { + chunk_err(leaf, chunk, logical, + "invalid chunk num_stripes == nparity, have %u == %d", + num_stripes, nparity); + return -EUCLEAN; + } if (!IS_ALIGNED(logical, fs_info->sectorsize)) { chunk_err(leaf, chunk, logical, "invalid chunk logical, have %llu should aligned to %u",