Btrfs devel - Aug 2011 - [PATCH] btrfs: check file extent backref offset underflow

Offset field in data extent backref can underflow if clone range ioctl
is used. We can reliably detect the underflow because max file size is
limited to 2^63 and max data extent size is limited by block group size.

Signed-off-by: Zheng Yan  <zheng.z.yan@intel.com>
---
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 59bb176..107c9cf 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -3323,8 +3323,11 @@ static int find_data_references(struct reloc_control *rc,
 	}
 
 	key.objectid = ref_objectid;
-	key.offset = ref_offset;
 	key.type = BTRFS_EXTENT_DATA_KEY;
+	if (ref_offset > ((u64)-1 << 32))
+		key.offset = 0;
+	else
+		key.offset = ref_offset;
 
 	path->search_commit_root = 1;
 	path->skip_locking = 1;
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Yan, Zheng wrote:
> Offset field in data extent backref can underflow if clone range ioctl
> is used. We can reliably detect the underflow because max file size is
> limited to 2^63 and max data extent size is limited by block group size.
> 
> Signed-off-by: Zheng Yan  <zheng.z.yan@intel.com>
Tested-by: Li Zefan <lizf@cn.fujitsu.com>

...
> @@ -3323,8 +3323,11 @@ static int find_data_references(struct reloc_control
*rc,
>  	}
>  
>  	key.objectid = ref_objectid;
> -	key.offset = ref_offset;
>  	key.type = BTRFS_EXTENT_DATA_KEY;
> +	if (ref_offset > ((u64)-1 << 32))
> +		key.offset = 0;
> +	else
> +		key.offset = ref_offset;
This needs comment, as we''re working around a corner case and a magic
number is
used.
>  
>  	path->search_commit_root = 1;
>  	path->skip_locking = 1;
> --
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html