[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0cc81bcf-b830-4ec3-8d5e-67afbc2e7c47@allelesecurity.com>
Date: Mon, 8 Sep 2025 09:49:02 -0300
From: Anderson Nascimento <anderson@...elesecurity.com>
To: clm@...com, josef@...icpanda.com, dsterba@...e.com,
linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] btrfs: Avoid potential out-of-bounds in btrfs_encode_fh()
Hello all,
The function btrfs_encode_fh() does not properly account for the three
cases it handles.
Before writing to the file handle (fh), the function only returns to the
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
However, when a parent exists and the root ID of the parent and the
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
(10 dwords, 40 bytes).
If *max_len is not large enough, this write goes out of bounds because
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
BTRFS_FID_SIZE_CONNECTABLE originally returned.
This results in an 8-byte out-of-bounds write at
fid->parent_root_objectid = parent_root_id.
A previous attempt to fix this issue was made but was lost.
https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
Although this issue does not seem to be easily triggerable, it is a
potential memory corruption bug that should be fixed. This patch
resolves the issue by ensuring the function returns the appropriate size
for all three cases and validates that *max_len is large enough before
writing any data.
Tested on v6.17-rc4.
Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
Signed-off-by: Anderson Nascimento <anderson@...elesecurity.com>
---
fs/btrfs/export.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
View attachment "btrfs_out_of_bounds_in_btrfs_encode_fh.patch" of type "text/x-patch" (1054 bytes)
Powered by blists - more mailing lists