| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jun 2019 19:51:49 +0800
From: Young Xiao <92siuyang@...il.com>
To: clm@...com, josef@...icpanda.com, dsterba@...e.com,
linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Young Xiao <92siuyang@...il.com>
Subject: [PATCH] btrfs: fix out of bounds array access while reading extent buffer
There is a corner case that slips through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len), then:
the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
both are OK in this corner case, but it'd actually try to access the eb->pages
out of bounds because of (start + len > eb->len).
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.
See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
reading extent buffer") for details.
Signed-off-by: Young Xiao <92siuyang@...il.com>
---
fs/btrfs/extent_io.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index db337e5..dcf3b2e 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
@@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(ptr, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
--
2.7.4
Powered by blists - more mailing lists