Commit f716abd5 authored by Liu Bo's avatar Liu Bo Committed by David Sterba
Browse files

Btrfs: fix out of bounds array access while reading extent buffer 



There is a corner case that slips through the checkers in functions
reading extent buffer, ie.

if (start < eb->len) and (start + len > eb->len),
then

a) map_private_extent_buffer() returns immediately because
it's thinking the range spans across two pages,

b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
and WARN_ON(start + len > eb->start + eb->len), both are OK in this
corner case, but it'd actually try to access the eb->pages out of
bounds because of (start + len > eb->len).

The case is found by switching extent inline ref type from shared data
ref to non-shared data ref, which is a kind of metadata corruption.

It'd use the wrong helper to access the eb,
eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
here is "struct btrfs_shared_data_ref".  And if the extent item
happens to be the first item in the eb, then offset/length will get
over eb->len which ends up an invalid memory access.

This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.

Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
Signed-off-by: default avatarChris Mason <clm@fb.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
parent c59efa7e

fs/btrfs/extent_io.c

+12 −8
Original line number Diff line number Diff line
@@ -5404,8 +5404,12 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv, 
	size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);

	unsigned long i = (start_offset + start) >> PAGE_SHIFT;



	WARN_ON(start > eb->len);

	WARN_ON(start + len > eb->start + eb->len);

	if (start + len > eb->len) {

		WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",

		     eb->start, eb->len, start, len);

		memset(dst, 0, len);

		return;

	}



	offset = (start_offset + start) & (PAGE_SIZE - 1);
@@ -5478,6 +5482,12 @@ int map_private_extent_buffer(const struct extent_buffer *eb, 
	unsigned long end_i = (start_offset + start + min_len - 1) >>

		PAGE_SHIFT;



	if (start + min_len > eb->len) {

		WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",

		       eb->start, eb->len, start, min_len);

		return -EINVAL;

	}



	if (i != end_i)

		return 1;
@@ -5489,12 +5499,6 @@ int map_private_extent_buffer(const struct extent_buffer *eb, 
		*map_start = ((u64)i << PAGE_SHIFT) - start_offset;

	}



	if (start + min_len > eb->len) {

		WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",

		       eb->start, eb->len, start, min_len);

		return -EINVAL;

	}



	p = eb->pages[i];

	kaddr = page_address(p);

	*map = kaddr + offset;

CRA Git | Maintained and supported by SUSTech CRA and CCSE