| Message ID | 1429752681-566-1-git-send-email-quwenruo@cn.fujitsu.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Apr 23, 2015 at 09:31:21AM +0800, Qu Wenruo wrote: > Current btrfs only support CRC32 checksum, and if csum_type is 1, we > will get 0 csum size, causing 0 division later destroy the whole kernel. > Or csum_type is later than 1, we will get data from other random memory > causing more problem. The check for csum type is already there in btrfs_check_super_csum, but it's wrong and should be fixed. btrfs_csum_sizes = { 4, 0 }; 429 if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) { 430 printk(KERN_ERR "BTRFS: unsupported checksum algorithm %u\n", 431 csum_type); 432 ret = 1; 433 } 434 and the check fails to catch csum_type == 1. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
-------- Original Message -------- Subject: Re: [PATCH] btrfs: Check superblock csum type to avoid 0 division or array overflow. From: David Sterba <dsterba@suse.cz> To: Qu Wenruo <quwenruo@cn.fujitsu.com> Date: 2015?04?24? 00:16 > On Thu, Apr 23, 2015 at 09:31:21AM +0800, Qu Wenruo wrote: >> Current btrfs only support CRC32 checksum, and if csum_type is 1, we >> will get 0 csum size, causing 0 division later destroy the whole kernel. >> Or csum_type is later than 1, we will get data from other random memory >> causing more problem. > > The check for csum type is already there in btrfs_check_super_csum, but > it's wrong and should be fixed. > > btrfs_csum_sizes = { 4, 0 }; > > 429 if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) { > 430 printk(KERN_ERR "BTRFS: unsupported checksum algorithm %u\n", > 431 csum_type); > 432 ret = 1; > 433 } > 434 > > and the check fails to catch csum_type == 1. > Thanks for pointing the existing codes, I'll update the patch. Thanks, Qu -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index f9c89ca..d6f3aa0 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -173,6 +173,7 @@ struct btrfs_ordered_sum; /* csum types */ #define BTRFS_CSUM_TYPE_CRC32 0 +#define BTRFS_CSUM_LAST_TYPE 0 static int btrfs_csum_sizes[] = { 4, 0 }; diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 639f266..8687ab5 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -3885,6 +3885,13 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info, ret = -EINVAL; } + /* Also check csum type, to avoid 0 csum_size */ + if (btrfs_super_csum_type(sb) > BTRFS_CSUM_LAST_TYPE) { + printk(KERN_ERR "BTRFS: unsupported checksum type: %d\n", + btrfs_super_csum_type(sb)); + ret = -EINVAL; + } + if (memcmp(fs_info->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) { printk(KERN_ERR "BTRFS: dev_item UUID does not match fsid: %pU != %pU\n", fs_info->fsid, sb->dev_item.fsid);
Current btrfs only support CRC32 checksum, and if csum_type is 1, we will get 0 csum size, causing 0 division later destroy the whole kernel. Or csum_type is later than 1, we will get data from other random memory causing more problem. So check csum_type in btrfs_check_super_valid() to avoid such hostile attack. Reported-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- fs/btrfs/ctree.h | 1 + fs/btrfs/disk-io.c | 7 +++++++ 2 files changed, 8 insertions(+)