Message-ID: <0cc81bcf-b830-4ec3-8d5e-67afbc2e7c47@allelesecurity.com>
Date: Mon, 8 Sep 2025 09:49:02 -0300
From: Anderson Nascimento <anderson@...elesecurity.com>
To: clm@...com, josef@...icpanda.com, dsterba@...e.com,
 linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] btrfs: Avoid potential out-of-bounds in btrfs_encode_fh()

Hello all,

The function btrfs_encode_fh() does not properly account for the three 
cases it handles.

Before writing to the file handle (fh), the function only returns to the 
user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or 
BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).

However, when a parent exists and the root ID of the parent and the 
inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT 
(10 dwords, 40 bytes).

If *max_len is not large enough, this write goes out of bounds because 
BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than 
BTRFS_FID_SIZE_CONNECTABLE originally returned.

This results in an 8-byte out-of-bounds write at 
fid->parent_root_objectid = parent_root_id.

A previous attempt to fix this issue was made but was lost.

https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/

Although this issue does not seem to be easily triggerable, it is a 
potential memory corruption bug that should be fixed. This patch 
resolves the issue by ensuring the function returns the appropriate size 
for all three cases and validates that *max_len is large enough before 
writing any data.

Tested on v6.17-rc4.

Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
Signed-off-by: Anderson Nascimento <anderson@...elesecurity.com>
---

fs/btrfs/export.c | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)

View attachment "btrfs_out_of_bounds_in_btrfs_encode_fh.patch" of type "text/x-patch" (1054 bytes)

Powered by blists - more mailing lists