|
 |
f86650b |
From 43d10880aa4ac713cf73dbac428be9671ef1bf9d Mon Sep 17 00:00:00 2001
|
|
|
f86650b |
From: David Sterba <dsterba@suse.com>
|
|
|
f86650b |
Date: Mon, 30 Nov 2015 17:27:06 +0100
|
|
|
f86650b |
Subject: [PATCH 1/2] btrfs: handle invalid num_stripes in sys_array
|
|
|
f86650b |
|
|
|
f86650b |
We can handle the special case of num_stripes == 0 directly inside
|
|
|
f86650b |
btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
|
|
|
f86650b |
catch other unhandled cases where we fail to validate external data.
|
|
|
f86650b |
|
|
|
f86650b |
A crafted or corrupted image crashes at mount time:
|
|
|
f86650b |
|
|
|
f86650b |
BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0
|
|
|
f86650b |
BTRFS info (device loop0): disk space caching is enabled
|
|
|
f86650b |
BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
|
|
|
f86650b |
Kernel panic - not syncing: BUG!
|
|
|
f86650b |
CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
|
|
|
f86650b |
Stack:
|
|
|
f86650b |
637af890 60062489 602aeb2e 604192ba
|
|
|
f86650b |
60387961 00000011 637af8a0 6038a835
|
|
|
f86650b |
637af9c0 6038776b 634ef32b 00000000
|
|
|
f86650b |
Call Trace:
|
|
|
f86650b |
[<6001c86d>] show_stack+0xfe/0x15b
|
|
|
f86650b |
[<6038a835>] dump_stack+0x2a/0x2c
|
|
|
f86650b |
[<6038776b>] panic+0x13e/0x2b3
|
|
|
f86650b |
[<6020f099>] btrfs_read_sys_array+0x25d/0x2ff
|
|
|
f86650b |
[<601cfbbe>] open_ctree+0x192d/0x27af
|
|
|
f86650b |
[<6019c2c1>] btrfs_mount+0x8f5/0xb9a
|
|
|
f86650b |
[<600bc9a7>] mount_fs+0x11/0xf3
|
|
|
f86650b |
[<600d5167>] vfs_kern_mount+0x75/0x11a
|
|
|
f86650b |
[<6019bcb0>] btrfs_mount+0x2e4/0xb9a
|
|
|
f86650b |
[<600bc9a7>] mount_fs+0x11/0xf3
|
|
|
f86650b |
[<600d5167>] vfs_kern_mount+0x75/0x11a
|
|
|
f86650b |
[<600d710b>] do_mount+0xa35/0xbc9
|
|
|
f86650b |
[<600d7557>] SyS_mount+0x95/0xc8
|
|
|
f86650b |
[<6001e884>] handle_syscall+0x6b/0x8e
|
|
|
f86650b |
|
|
|
f86650b |
Reported-by: Jiri Slaby <jslaby@suse.com>
|
|
|
f86650b |
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
|
|
|
f86650b |
CC: stable@vger.kernel.org # 3.19+
|
|
|
f86650b |
Signed-off-by: David Sterba <dsterba@suse.com>
|
|
|
f86650b |
---
|
|
|
f86650b |
fs/btrfs/volumes.c | 8 ++++++++
|
|
|
f86650b |
1 file changed, 8 insertions(+)
|
|
|
f86650b |
|
|
|
f86650b |
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
|
|
|
f86650b |
index 6fc735869c18..b816b3a2e118 100644
|
|
|
f86650b |
--- a/fs/btrfs/volumes.c
|
|
|
f86650b |
+++ b/fs/btrfs/volumes.c
|
|
|
f86650b |
@@ -6399,6 +6399,14 @@ int btrfs_read_sys_array(struct btrfs_root *root)
|
|
|
f86650b |
goto out_short_read;
|
|
|
f86650b |
|
|
|
f86650b |
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
|
|
|
f86650b |
+ if (!num_stripes) {
|
|
|
f86650b |
+ printk(KERN_ERR
|
|
|
f86650b |
+ "BTRFS: invalid number of stripes %u in sys_array at offset %u\n",
|
|
|
f86650b |
+ num_stripes, cur_offset);
|
|
|
f86650b |
+ ret = -EIO;
|
|
|
f86650b |
+ break;
|
|
|
f86650b |
+ }
|
|
|
f86650b |
+
|
|
|
f86650b |
len = btrfs_chunk_item_size(num_stripes);
|
|
|
f86650b |
if (cur_offset + len > array_size)
|
|
|
f86650b |
goto out_short_read;
|
|
|
f86650b |
--
|
|
|
f86650b |
2.5.0
|
|
|
f86650b |
|