From patchwork Thu Jun 25 16:06:13 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sterba X-Patchwork-Id: 6676381 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id F3FFA9F380 for ; Thu, 25 Jun 2015 16:07:39 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 2976220553 for ; Thu, 25 Jun 2015 16:07:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 292BB20528 for ; Thu, 25 Jun 2015 16:07:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751213AbbFYQGS (ORCPT ); Thu, 25 Jun 2015 12:06:18 -0400 Received: from cantor2.suse.de ([195.135.220.15]:60286 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751019AbbFYQGQ (ORCPT ); Thu, 25 Jun 2015 12:06:16 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2215AAAC1; Thu, 25 Jun 2015 16:06:14 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id E23FBDAB1B; Thu, 25 Jun 2015 18:06:13 +0200 (CEST) Date: Thu, 25 Jun 2015 18:06:13 +0200 From: David Sterba To: Josef Bacik Cc: dsterba@suse.cz, Robert Marklund , linux-btrfs@vger.kernel.org Subject: Re: [PATCH] check: check so offset is not bigger then the leaf Message-ID: <20150625160613.GK726@twin.jikos.cz> Reply-To: dsterba@suse.cz Mail-Followup-To: dsterba@suse.cz, Josef Bacik , Robert Marklund , linux-btrfs@vger.kernel.org References: <1434585553-8697-1-git-send-email-robbelibobban@gmail.com> <20150618164443.GH6761@twin.jikos.cz> <5582FD06.2010004@fb.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <5582FD06.2010004@fb.com> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, Jun 18, 2015 at 10:16:54AM -0700, Josef Bacik wrote: > On 06/18/2015 09:44 AM, David Sterba wrote: > > On Thu, Jun 18, 2015 at 01:59:13AM +0200, Robert Marklund wrote: > >> This could crash before because of dangerous dangling > >> offset of pointer. > > > > That's right, this can happen. There are more btrfs_item_ptr that would > > be good to validate that way, namely in the checker as it's most likely > > to see corrupted data. > > > > The check_block stuff should be doing this, if it isn't that's where we > need to fix it. Thanks, Something like that? --- Compile-tested only. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --- a/ctree.c +++ b/ctree.c @@ -521,6 +521,19 @@ btrfs_check_leaf(struct btrfs_root *root, struct btrfs_disk_key *parent_key, goto fail; } } + + for (i = 0; i < nritems; i++) { + void *tmp; + + tmp = btrfs_item_ptr(buf, i, void); + if ((long)tmp >= BTRFS_LEAF_DATA_SIZE(root)) { + ret = BTRFS_TREE_BLOCK_INVALID_OFFSETS; + fprintf(stderr, "bad item pointer %lu\n", + (long)tmp); + goto fail; + } + } + return BTRFS_TREE_BLOCK_CLEAN; fail: if (btrfs_header_owner(buf) == BTRFS_EXTENT_TREE_OBJECTID) {