From patchwork Mon Sep 29 09:34:49 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: roy.qing.li@gmail.com
X-Patchwork-Id: 4995011
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id BFEAEBEEA6
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 29 Sep 2014 09:34:58 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 0AB01201FA
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 29 Sep 2014 09:34:58 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 38ED4201B9
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 29 Sep 2014 09:34:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751688AbaI2Jew (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Mon, 29 Sep 2014 05:34:52 -0400
Received: from mail-pa0-f51.google.com ([209.85.220.51]:40456 "EHLO
	mail-pa0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751396AbaI2Jev (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Mon, 29 Sep 2014 05:34:51 -0400
Received: by mail-pa0-f51.google.com with SMTP id lj1so2424504pab.10
	for <linux-btrfs@vger.kernel.org>;
	Mon, 29 Sep 2014 02:34:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113; h=from:to:subject:date:message-id;
	bh=iW7Y0iDIEjm/YeDFKCPvzCxEPuAzAJbcgE7OqyaZXJE=;
	b=OeR1TPJvSaX0yrNEhI3sXpXmrXxwKGeILP7APmaNwF6VOW4tG5Yea8KLkcZOESAS86
	nUGdqb2oQHypADuYrgXqh6JS0b6pgGqqHMe8ze8r1XUwKIqOVEXtIyrHIR9HLOAi4Fm2
	Bleiw2YDoFgAZDgxUgfpWLikV7LZqdBXeFLX4WJwaQgeiDwqlZBwIkupqE6pcWjVkaKe
	NXpluPkXtNplll+QQ9yx0e8RQLcCSDjKAu5WNHm3waqC+ARCppszGWEfGYU3rfhhPwGl
	ULTKx4ygVruAPZjJdOFL84lOCasc3TsqYOwxlsdiSI+oj1WSakBMPGpgdEMEEBNIGTuN
	CbRw==
X-Received: by 10.66.141.77 with SMTP id rm13mr46396348pab.91.1411983291421;
	Mon, 29 Sep 2014 02:34:51 -0700 (PDT)
Received: from localhost ([106.120.101.38]) by mx.google.com with ESMTPSA id
	fn2sm11340746pdb.75.2014.09.29.02.34.49
	for <linux-btrfs@vger.kernel.org>
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Mon, 29 Sep 2014 02:34:50 -0700 (PDT)
From: roy.qing.li@gmail.com
To: linux-btrfs@vger.kernel.org
Subject: [PATCH][v2] btrfs: fix a overflowing boundary writing in
	csum_tree_block
Date: Mon, 29 Sep 2014 17:34:49 +0800
Message-Id: <1411983289-26522-1-git-send-email-roy.qing.li@gmail.com>
X-Mailer: git-send-email 1.7.10.4
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,
	T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Li RongQing <roy.qing.li@gmail.com>

It is impossible that csum_size is larger than sizeof(long), but the codes
still add the handler for this condition, like allocate new memory, for
extension. If it becomes true someday, copying csum_size size memory to local
32bit variable found and val will overflow these two variables.

Fix it by returning the max 4 byte checksum, and print the csum_size

Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
---
 fs/btrfs/disk-io.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index a1d36e6..d9b52ac 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -295,14 +295,17 @@ static int csum_tree_block(struct btrfs_root *root, struct extent_buffer *buf,
 		if (memcmp_extent_buffer(buf, result, 0, csum_size)) {
 			u32 val;
 			u32 found = 0;
+
+			csum_size = min_t(u16, csum_size, sizeof(u32));
 			memcpy(&found, result, csum_size);
 
 			read_extent_buffer(buf, &val, 0, csum_size);
 			printk_ratelimited(KERN_INFO
 				"BTRFS: %s checksum verify failed on %llu wanted %X found %X "
-				"level %d\n",
+				"level %d checksum size %d\n",
 				root->fs_info->sb->s_id, buf->start,
-				val, found, btrfs_header_level(buf));
+				val, found, btrfs_header_level(buf), csum_size);
+
 			if (result != (char *)&inline_result)
 				kfree(result);
 			return 1;