Commit 85d07fbe authored by Daniel Xu's avatar Daniel Xu Committed by David Sterba
Browse files

btrfs: tree-checker: validate number of chunk stripes and parity 



If there's no parity and num_stripes < ncopies, a crafted image can
trigger a division by zero in calc_stripe_length().

The image was generated through fuzzing.

CC: stable@vger.kernel.org # 5.4+
Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209587


Signed-off-by: default avatarDaniel Xu <dxu@dxuuu.xyz>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
parent cad69d13

fs/btrfs/tree-checker.c

+18 −0
Original line number Diff line number Diff line
@@ -760,18 +760,36 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf, 
	u64 type;

	u64 features;

	bool mixed = false;

	int raid_index;

	int nparity;

	int ncopies;



	length = btrfs_chunk_length(leaf, chunk);

	stripe_len = btrfs_chunk_stripe_len(leaf, chunk);

	num_stripes = btrfs_chunk_num_stripes(leaf, chunk);

	sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk);

	type = btrfs_chunk_type(leaf, chunk);

	raid_index = btrfs_bg_flags_to_raid_index(type);

	ncopies = btrfs_raid_array[raid_index].ncopies;

	nparity = btrfs_raid_array[raid_index].nparity;



	if (!num_stripes) {

		chunk_err(leaf, chunk, logical,

			  "invalid chunk num_stripes, have %u", num_stripes);

		return -EUCLEAN;

	}

	if (num_stripes < ncopies) {

		chunk_err(leaf, chunk, logical,

			  "invalid chunk num_stripes < ncopies, have %u < %d",

			  num_stripes, ncopies);

		return -EUCLEAN;

	}

	if (nparity && num_stripes == nparity) {

		chunk_err(leaf, chunk, logical,

			  "invalid chunk num_stripes == nparity, have %u == %d",

			  num_stripes, nparity);

		return -EUCLEAN;

	}

	if (!IS_ALIGNED(logical, fs_info->sectorsize)) {

		chunk_err(leaf, chunk, logical,

		"invalid chunk logical, have %llu should aligned to %u",

CRA Git | Maintained and supported by SUSTech CRA and CCSE