From patchwork Wed Jun 18 16:51:19 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Vincent_Stehl=C3=A9?= X-Patchwork-Id: 4377991 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D04979F433 for ; Wed, 18 Jun 2014 16:51:58 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 049C120379 for ; Wed, 18 Jun 2014 16:51:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7794420218 for ; Wed, 18 Jun 2014 16:51:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753535AbaFRQvx (ORCPT ); Wed, 18 Jun 2014 12:51:53 -0400 Received: from smtp4-g21.free.fr ([212.27.42.4]:43397 "EHLO smtp4-g21.free.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751888AbaFRQvw (ORCPT ); Wed, 18 Jun 2014 12:51:52 -0400 Received: from romuald.bergerie (unknown [88.178.86.202]) by smtp4-g21.free.fr (Postfix) with ESMTP id 5F9EE4C8125; Wed, 18 Jun 2014 18:51:51 +0200 (CEST) Received: from einstein.bergerie (einstein.bergerie [192.168.124.11]) by romuald.bergerie (Postfix) with SMTP id 1C8C9339193; Wed, 18 Jun 2014 18:51:50 +0200 (CEST) Received: by einstein.bergerie (sSMTP sendmail emulation); Wed, 18 Jun 2014 18:51:49 +0200 From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= To: linux-btrfs@vger.kernel.org Cc: =?UTF-8?q?Vincent=20Stehl=C3=A9?= Subject: [PATCH] btrfs-progs: restore: check lzo compress length Date: Wed, 18 Jun 2014 18:51:19 +0200 Message-Id: <1403110279-28688-1-git-send-email-vincent.stehle@laposte.net> X-Mailer: git-send-email 2.0.0 MIME-Version: 1.0 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe() with corrupt data during restore can lead to crashes. Reduce the risk by adding a check on the input length. Signed-off-by: Vincent Stehlé --- Hi, This patch actually allowed me to finish a btrfs restore of a damaged filesystem, which was repeateadly crashing otherwise. This was with v3.12, but I think it still makes sense. Best regards, V. cmds-restore.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmds-restore.c b/cmds-restore.c index 96b97e1..4338493 100644 --- a/cmds-restore.c +++ b/cmds-restore.c @@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char *outbuf, u64 compress_len, while (tot_in < tot_len) { in_len = read_compress_length(inbuf); + + if ((tot_in + LZO_LEN + in_len) > tot_len) { + fprintf(stderr, "bad compress length %lu\n", in_len); + return -1; + } + inbuf += LZO_LEN; tot_in += LZO_LEN;