Hello Josef Bacik,
The patch 607d432da054: "Btrfs: add support for multiple csum
algorithms" from Dec 2, 2008, leads to the following warning:
fs/btrfs/disk-io.c:298 csum_tree_block()
error: memcpy() ''&found'' too small (4 vs 9)
fs/btrfs/disk-io.c
284 if (csum_size > sizeof(inline_result)) {
285 result = kzalloc(csum_size * sizeof(char), GFP_NOFS);
286 if (!result)
287 return 1;
288 } else {
289 result = (char *)&inline_result;
290 }
291
292 btrfs_csum_final(crc, result);
293
294 if (verify) {
295 if (memcmp_extent_buffer(buf, result, 0, csum_size)) {
296 u32 val;
297 u32 found = 0;
298 memcpy(&found, result, csum_size);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Before that commit we used to memcpy() 4 bytes and it was fine, but now
csum_size can be larger than 4 bytes and there is a potential for
memory corruption.
299
300 read_extent_buffer(buf, &val, 0, csum_size);
^^^^
Smatch complains that "val" is too small as well.
301 printk_ratelimited(KERN_INFO "btrfs: %s
checksum verify "
302 "failed on %llu wanted %X
found %X "
303 "level %d\n",
304 root->fs_info->sb->s_id,
305 (unsigned long
long)buf->start, val, found,
306 btrfs_header_level(buf));
307 if (result != (char *)&inline_result)
308 kfree(result);
309 return 1;
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
This is a memory corruption bug, could someone take a look at it? regards, dan carpetner On Fri, Jun 15, 2012 at 10:49:22PM +0300, Dan Carpenter wrote:> Hello Josef Bacik, > > The patch 607d432da054: "Btrfs: add support for multiple csum > algorithms" from Dec 2, 2008, leads to the following warning: > fs/btrfs/disk-io.c:298 csum_tree_block() > error: memcpy() ''&found'' too small (4 vs 9) > > fs/btrfs/disk-io.c > 284 if (csum_size > sizeof(inline_result)) { > 285 result = kzalloc(csum_size * sizeof(char), GFP_NOFS); > 286 if (!result) > 287 return 1; > 288 } else { > 289 result = (char *)&inline_result; > 290 } > 291 > 292 btrfs_csum_final(crc, result); > 293 > 294 if (verify) { > 295 if (memcmp_extent_buffer(buf, result, 0, csum_size)) { > 296 u32 val; > 297 u32 found = 0; > 298 memcpy(&found, result, csum_size); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Before that commit we used to memcpy() 4 bytes and it was fine, but now > csum_size can be larger than 4 bytes and there is a potential for > memory corruption. > > 299 > 300 read_extent_buffer(buf, &val, 0, csum_size); > ^^^^ > Smatch complains that "val" is too small as well. > > 301 printk_ratelimited(KERN_INFO "btrfs: %s checksum verify " > 302 "failed on %llu wanted %X found %X " > 303 "level %d\n", > 304 root->fs_info->sb->s_id, > 305 (unsigned long long)buf->start, val, found, > 306 btrfs_header_level(buf)); > 307 if (result != (char *)&inline_result) > 308 kfree(result); > 309 return 1; > > regards, > dan carpenter-- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html