Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp823726pxb; Tue, 3 Nov 2020 13:34:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJxphXzqCrVvy57TETdQf3ZETKwJAQuoV3dY1PyzTEyRJpoq54oFXaQi5PT1z06ob8qyZZWl X-Received: by 2002:aa7:c617:: with SMTP id h23mr1991210edq.154.1604439263101; Tue, 03 Nov 2020 13:34:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604439263; cv=none; d=google.com; s=arc-20160816; b=x33HLecsjAvZ/Qh18WqN82nkoWZOs3hVglyjWv0YjUfXIM9Ld74rvQdkETbfui+WnH 5Ua+3oJK5cs4dIjimYW+ApdWv9vvjVDuJwcBAdZ9srbUhVccr946NVWWaIU6kXixXM04 YeCT9BvjoYrxUviO78pWtCGakg7zZc3jsRPtXwt584R5Y9/b+0rvpEc0AjO6mTP6lDie iBsqex+Od6I5UakmVVVE+8z+ymVikVorb+ibmyqm4rQ/GY90vL0rBARpJ8w2rkIKDKyw aXNhMeCcoaMoSDeKbrDcK6PFP7SLKE44qko2YAOavGmMc1pejAjd/sVLqGAqyHjHLOuu 8iuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WUxOZEISc0iu7aFjeD9309A1UwK85sk34YmoPMKCrO4=; b=itTRcPSph61Gi6DwkFzHpdlMWrxDwo0VRfeVJHhnflFjox4gtC0aS835Q973MUpdhr PipzO/dE5DDsOktgvvtFpAPn8KEZtiLOxIK6Y1yXebrutfP5jOC2LCufFLk+cK8U2i8p 0ko4HBTd1xfzRU1CWpJh7+XgA8McxuiB42Brl2pc1XfduLpj1R5YYqPE8bBBkLBTbphC mcEzCuIRWWI4IdsgtkNAocmKjJkiRotAMFcRbqDp7uu9Hjos3p6RwQvPP2mFKE/NOhRo 0+rJ3OxIiTNdUu5ZdSDATWwL+yEJFQpFykzJQEVEd6seOp6sZ6FzdeLOU56p68xWDcm8 v6Qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bLDoIyOS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bk9si13636ejb.42.2020.11.03.13.34.00; Tue, 03 Nov 2020 13:34:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bLDoIyOS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732844AbgKCVb2 (ORCPT + 99 others); Tue, 3 Nov 2020 16:31:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:60092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732264AbgKCU5m (ORCPT ); Tue, 3 Nov 2020 15:57:42 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B1D712053B; Tue, 3 Nov 2020 20:57:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604437060; bh=8XRW9+8V2YtEQFuAZb5kFILEmhnjnyoFhcK+xRqzZ3o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bLDoIyOSpTErHcUxSzsDqd1/RhUgcARLtxNf4LSr4dTFdON7u5wr1h+x+IqOZbVz9 No5JOTlwTN3dtDiqBipGPJdY2ZWadNtbU405I0Ek0RlTuC/CuL3XvU77gRDzxdbpQy Rm2KuqMTLBKM7PwBXhzB1T8qcBkGx1X+h6VaK+Jo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Daniel Xu , David Sterba Subject: [PATCH 5.4 130/214] btrfs: tree-checker: validate number of chunk stripes and parity Date: Tue, 3 Nov 2020 21:36:18 +0100 Message-Id: <20201103203303.026049333@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203249.448706377@linuxfoundation.org> References: <20201103203249.448706377@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Xu commit 85d07fbe09efd1c529ff3e025e2f0d2c6c96a1b7 upstream. If there's no parity and num_stripes < ncopies, a crafted image can trigger a division by zero in calc_stripe_length(). The image was generated through fuzzing. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209587 Signed-off-by: Daniel Xu Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/tree-checker.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -577,18 +577,36 @@ int btrfs_check_chunk_valid(struct exten u64 type; u64 features; bool mixed = false; + int raid_index; + int nparity; + int ncopies; length = btrfs_chunk_length(leaf, chunk); stripe_len = btrfs_chunk_stripe_len(leaf, chunk); num_stripes = btrfs_chunk_num_stripes(leaf, chunk); sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk); type = btrfs_chunk_type(leaf, chunk); + raid_index = btrfs_bg_flags_to_raid_index(type); + ncopies = btrfs_raid_array[raid_index].ncopies; + nparity = btrfs_raid_array[raid_index].nparity; if (!num_stripes) { chunk_err(leaf, chunk, logical, "invalid chunk num_stripes, have %u", num_stripes); return -EUCLEAN; } + if (num_stripes < ncopies) { + chunk_err(leaf, chunk, logical, + "invalid chunk num_stripes < ncopies, have %u < %d", + num_stripes, ncopies); + return -EUCLEAN; + } + if (nparity && num_stripes == nparity) { + chunk_err(leaf, chunk, logical, + "invalid chunk num_stripes == nparity, have %u == %d", + num_stripes, nparity); + return -EUCLEAN; + } if (!IS_ALIGNED(logical, fs_info->sectorsize)) { chunk_err(leaf, chunk, logical, "invalid chunk logical, have %llu should aligned to %u",