btrfs: Check superblock csum type to avoid 0 division or array overflow.
diff mbox

Message ID 1429752681-566-1-git-send-email-quwenruo@cn.fujitsu.com
State New, archived
Headers show

Commit Message

Qu Wenruo April 23, 2015, 1:31 a.m. UTC
Current btrfs only support CRC32 checksum, and if csum_type is 1, we
will get 0 csum size, causing 0 division later destroy the whole kernel.
Or csum_type is later than 1, we will get data from other random memory
causing more problem.

So check csum_type in btrfs_check_super_valid() to avoid such hostile
attack.

Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
 fs/btrfs/ctree.h   | 1 +
 fs/btrfs/disk-io.c | 7 +++++++
 2 files changed, 8 insertions(+)

Comments

David Sterba April 23, 2015, 4:16 p.m. UTC | #1
On Thu, Apr 23, 2015 at 09:31:21AM +0800, Qu Wenruo wrote:
> Current btrfs only support CRC32 checksum, and if csum_type is 1, we
> will get 0 csum size, causing 0 division later destroy the whole kernel.
> Or csum_type is later than 1, we will get data from other random memory
> causing more problem.

The check for csum type is already there in btrfs_check_super_csum, but
it's wrong and should be fixed.

btrfs_csum_sizes = { 4, 0 };

 429         if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
 430                 printk(KERN_ERR "BTRFS: unsupported checksum algorithm %u\n",
 431                                 csum_type);
 432                 ret = 1;
 433         }
 434

and the check fails to catch csum_type == 1.
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Qu Wenruo April 24, 2015, 12:37 a.m. UTC | #2
-------- Original Message  --------
Subject: Re: [PATCH] btrfs: Check superblock csum type to avoid 0 
division or array overflow.
From: David Sterba <dsterba@suse.cz>
To: Qu Wenruo <quwenruo@cn.fujitsu.com>
Date: 2015?04?24? 00:16

> On Thu, Apr 23, 2015 at 09:31:21AM +0800, Qu Wenruo wrote:
>> Current btrfs only support CRC32 checksum, and if csum_type is 1, we
>> will get 0 csum size, causing 0 division later destroy the whole kernel.
>> Or csum_type is later than 1, we will get data from other random memory
>> causing more problem.
>
> The check for csum type is already there in btrfs_check_super_csum, but
> it's wrong and should be fixed.
>
> btrfs_csum_sizes = { 4, 0 };
>
>   429         if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
>   430                 printk(KERN_ERR "BTRFS: unsupported checksum algorithm %u\n",
>   431                                 csum_type);
>   432                 ret = 1;
>   433         }
>   434
>
> and the check fails to catch csum_type == 1.
>
Thanks for pointing the existing codes, I'll update the patch.

Thanks,
Qu
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index f9c89ca..d6f3aa0 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -173,6 +173,7 @@  struct btrfs_ordered_sum;
 
 /* csum types */
 #define BTRFS_CSUM_TYPE_CRC32	0
+#define BTRFS_CSUM_LAST_TYPE	0
 
 static int btrfs_csum_sizes[] = { 4, 0 };
 
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 639f266..8687ab5 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3885,6 +3885,13 @@  static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
 		ret = -EINVAL;
 	}
 
+	/* Also check csum type, to avoid 0 csum_size */
+	if (btrfs_super_csum_type(sb) > BTRFS_CSUM_LAST_TYPE) {
+		printk(KERN_ERR "BTRFS: unsupported checksum type: %d\n",
+		       btrfs_super_csum_type(sb));
+		ret = -EINVAL;
+	}
+
 	if (memcmp(fs_info->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) {
 		printk(KERN_ERR "BTRFS: dev_item UUID does not match fsid: %pU != %pU\n",
 				fs_info->fsid, sb->dev_item.fsid);