roy.qing.li@gmail.com
2014-Sep-29 09:34 UTC
[PATCH][v2] btrfs: fix a overflowing boundary writing in csum_tree_block
From: Li RongQing <roy.qing.li@gmail.com>
It is impossible that csum_size is larger than sizeof(long), but the codes
still add the handler for this condition, like allocate new memory, for
extension. If it becomes true someday, copying csum_size size memory to local
32bit variable found and val will overflow these two variables.
Fix it by returning the max 4 byte checksum, and print the csum_size
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
---
fs/btrfs/disk-io.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index a1d36e6..d9b52ac 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -295,14 +295,17 @@ static int csum_tree_block(struct btrfs_root *root, struct
extent_buffer *buf,
if (memcmp_extent_buffer(buf, result, 0, csum_size)) {
u32 val;
u32 found = 0;
+
+ csum_size = min_t(u16, csum_size, sizeof(u32));
memcpy(&found, result, csum_size);
read_extent_buffer(buf, &val, 0, csum_size);
printk_ratelimited(KERN_INFO
"BTRFS: %s checksum verify failed on %llu wanted %X found %X "
- "level %d\n",
+ "level %d checksum size %d\n",
root->fs_info->sb->s_id, buf->start,
- val, found, btrfs_header_level(buf));
+ val, found, btrfs_header_level(buf), csum_size);
+
if (result != (char *)&inline_result)
kfree(result);
return 1;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html