Message ID | 20210628101637.349718-2-wqu@suse.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | btrfs: allow BTRFS_IOC_SNAP_DESTROY_V2 to remove ghost subvolume | expand |
On 28/6/21 6:16 pm, Qu Wenruo wrote: > Ioctl BTRFS_IOC_SNAP_DESTROY_V2 supports a flag to delete a subvolume > using root id directly. > > We check the target root id against BTRFS_FIRST_FREE_OBJECTID, but not > again BTRFS_LAST_FREE_OBJECTID. > > This means if user passes rootid like DATA_RELOC (-9) or TREE_RELOC > (-8), we can pass the check, then get caught by later dentry check and > got error number -ENOENT, other than -EINVAL. > > It's not a big deal as we have extra safe nets to prevent those > trees get removed, it's still better to do the extra check and return > proper -EINVAL error. > > Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Anand Jain <anand.jain@oracle.com> Thanks, -Anand > --- > fs/btrfs/ioctl.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > index 0ba98e08a029..889e27c24e3a 100644 > --- a/fs/btrfs/ioctl.c > +++ b/fs/btrfs/ioctl.c > @@ -2932,7 +2932,8 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, > if (err) > goto out; > } else { > - if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID) { > + if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID || > + vol_args2->subvolid > BTRFS_LAST_FREE_OBJECTID) { > err = -EINVAL; > goto out; > } >
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 0ba98e08a029..889e27c24e3a 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2932,7 +2932,8 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, if (err) goto out; } else { - if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID) { + if (vol_args2->subvolid < BTRFS_FIRST_FREE_OBJECTID || + vol_args2->subvolid > BTRFS_LAST_FREE_OBJECTID) { err = -EINVAL; goto out; }
Ioctl BTRFS_IOC_SNAP_DESTROY_V2 supports a flag to delete a subvolume using root id directly. We check the target root id against BTRFS_FIRST_FREE_OBJECTID, but not again BTRFS_LAST_FREE_OBJECTID. This means if user passes rootid like DATA_RELOC (-9) or TREE_RELOC (-8), we can pass the check, then get caught by later dentry check and got error number -ENOENT, other than -EINVAL. It's not a big deal as we have extra safe nets to prevent those trees get removed, it's still better to do the extra check and return proper -EINVAL error. Signed-off-by: Qu Wenruo <wqu@suse.com> --- fs/btrfs/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)