| Message ID | 20190902234619.5888-1-wqu@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: tree-checker: Check item size before reading file extent type | expand |
On Tue, Sep 03, 2019 at 07:46:19AM +0800, Qu Wenruo wrote: > In check_extent_data_item(), we read file extent type without verifying > if the item size is valid. > > Add such check to ensure the file extent type we read is correct. > > The check is not as accurate as we need to cover both inline and regular > extents, so it only checks if the item size is larger or equal to inline > header. > So the existing size checks on inline/regular extents are still needed. > > Signed-off-by: Qu Wenruo <wqu@suse.com> I lost track of this patch, now added to for-next. Thanks.
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 15d1aa7cef1f..22e6474f9d4e 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -143,6 +143,17 @@ static int check_extent_data_item(struct extent_buffer *leaf, fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); + /* + * Make sure the item contains at least inline header, so the file + * extent type is not some garbage. + */ + if (item_size < BTRFS_FILE_EXTENT_INLINE_DATA_START) { + file_extent_err(leaf, slot, + "invalid item size, have %u expect [%lu, %u)", + item_size, BTRFS_FILE_EXTENT_INLINE_DATA_START, + SZ_4K); + return -EUCLEAN; + } if (btrfs_file_extent_type(leaf, fi) > BTRFS_FILE_EXTENT_TYPES) { file_extent_err(leaf, slot, "invalid type for file extent, have %u expect range [0, %u]",
In check_extent_data_item(), we read file extent type without verifying if the item size is valid. Add such check to ensure the file extent type we read is correct. The check is not as accurate as we need to cover both inline and regular extents, so it only checks if the item size is larger or equal to inline header. So the existing size checks on inline/regular extents are still needed. Signed-off-by: Qu Wenruo <wqu@suse.com> --- fs/btrfs/tree-checker.c | 11 +++++++++++ 1 file changed, 11 insertions(+)