From patchwork Mon Apr 30 03:15:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 10370717 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0473160383 for ; Mon, 30 Apr 2018 03:16:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA90E289B2 for ; Mon, 30 Apr 2018 03:16:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF296289B6; Mon, 30 Apr 2018 03:16:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 74A47289B2 for ; Mon, 30 Apr 2018 03:16:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751484AbeD3DQF (ORCPT ); Sun, 29 Apr 2018 23:16:05 -0400 Received: from victor.provo.novell.com ([137.65.250.26]:44941 "EHLO prv3-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751334AbeD3DQD (ORCPT ); Sun, 29 Apr 2018 23:16:03 -0400 Received: from adam-pc.lan (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by prv3-mh.provo.novell.com with ESMTP (NOT encrypted); Sun, 29 Apr 2018 21:15:52 -0600 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Subject: [PATCH 3/3] btrfs-progs: print-tree: Enhance btrfs_print_tree() check to avoid out-of-boundary memory access Date: Mon, 30 Apr 2018 11:15:45 +0800 Message-Id: <20180430031545.29891-3-wqu@suse.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180430031545.29891-1-wqu@suse.com> References: <20180430031545.29891-1-wqu@suse.com> Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP For btrfs_print_tree(), if nr_items is corrupted, it can easily go beyond extent buffer boundary. Add extra nr_item check, and only print as many valid slots as possible. Signed-off-by: Qu Wenruo --- print-tree.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/print-tree.c b/print-tree.c index 31a851ef4413..55db80bebb2a 100644 --- a/print-tree.c +++ b/print-tree.c @@ -1376,6 +1376,11 @@ void btrfs_print_tree(struct extent_buffer *eb, int follow) btrfs_print_leaf(eb); return; } + /* We are crossing eb boundary, this node must be corrupted */ + if (nr > BTRFS_NODEPTRS_PER_EXTENT_BUFFER(eb)) + warning( + "node nr_items corrupted, has %u limit %u, continue print anyway", + nr, BTRFS_NODEPTRS_PER_EXTENT_BUFFER(eb)); printf("node %llu level %d items %d free %u generation %llu owner ", (unsigned long long)eb->start, btrfs_header_level(eb), nr, @@ -1386,7 +1391,11 @@ void btrfs_print_tree(struct extent_buffer *eb, int follow) print_uuids(eb); fflush(stdout); for (i = 0; i < nr; i++) { - u64 blocknr = btrfs_node_blockptr(eb, i); + u64 blocknr; + + if (i > BTRFS_NODEPTRS_PER_EXTENT_BUFFER(eb)) + break; + blocknr = btrfs_node_blockptr(eb, i); btrfs_node_key(eb, &disk_key, i); btrfs_disk_key_to_cpu(&key, &disk_key); printf("\t");