| Message ID | 817cdc0c65b00491a78d7f47efddffa1f76ab087.1717544015.git.wqu@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs-progs: small bug fixes | expand |
diff --git a/kernel-shared/print-tree.c b/kernel-shared/print-tree.c index 1b9386d87a0a..9a72ba39b426 100644 --- a/kernel-shared/print-tree.c +++ b/kernel-shared/print-tree.c @@ -78,6 +78,11 @@ static void print_dir_item(struct extent_buffer *eb, u32 size, printf("\n"); name_len = btrfs_dir_name_len(eb, di); data_len = btrfs_dir_data_len(eb, di); + if (data_len + name_len + cur > size) { + error("invalid length, cur=%u name_len=%u data_len=%u size=%u\n", + cur, name_len, data_len, size); + break; + } len = (name_len <= sizeof(namebuf))? name_len: sizeof(namebuf); printf("\t\ttransid %llu data_len %u name_len %u\n", btrfs_dir_transid(eb, di),
There is a bug report that with UBSAN enabled, fuzz/006 test case would crash. It turns out that the image bko-154021-invalid-drop-level.raw has invalid dir items, that the name/data len is beyond the item. And if we try to read beyond the eb boundary, UBSAN got triggered. Normally in kernel tree-checker would reject such metadata in the first place, but in btrfs-progs we can not go that strict or we can not do a lot of repair. So here just enhance print_dir_item() to do extra sanity checks for data/name len before reading the contents. Issue: #805 Signed-off-by: Qu Wenruo <wqu@suse.com> --- kernel-shared/print-tree.c | 5 +++++ 1 file changed, 5 insertions(+)