| Message ID | 1425396698-31009-1-git-send-email-quentin.casasnovas@oracle.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Tue, Mar 3, 2015 at 10:31 AM, Quentin Casasnovas <quentin.casasnovas@oracle.com> wrote: > Improper arithmetics when calculting the address of the extended ref > could > lead to an out of bounds memory read and kernel panic. > > Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> > --- > fs/btrfs/tree-log.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c > index 9a37f8b..c5b8ba3 100644 > --- fs/btrfs/tree-log.c > +++ fs/btrfs/tree-log.c > @@ -1012,7 +1012,7 @@ again: > base = btrfs_item_ptr_offset(leaf, path->slots[0]); > > while (cur_offset < item_size) { > - extref = (struct btrfs_inode_extref *)base + cur_offset; > + extref = (struct btrfs_inode_extref *)(base + cur_offset); > > victim_name_len = btrfs_inode_extref_name_len(leaf, extref); > Thanks, this goes back to 3.7+ (Mark's original extref code). I'll tag for stable and add Dave's reviewed by: Reviewed-by: David Sterba <dsterba@suse.cz> -chris -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git fs/btrfs/tree-log.c fs/btrfs/tree-log.c index 9a37f8b..c5b8ba3 100644 --- fs/btrfs/tree-log.c +++ fs/btrfs/tree-log.c @@ -1012,7 +1012,7 @@ again: base = btrfs_item_ptr_offset(leaf, path->slots[0]); while (cur_offset < item_size) { - extref = (struct btrfs_inode_extref *)base + cur_offset; + extref = (struct btrfs_inode_extref *)(base + cur_offset); victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> --- fs/btrfs/tree-log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)