• Su Yue's avatar
    btrfs: Check name_len with boundary in verify dir_item · e79a3327
    Su Yue authored
    Originally, verify_dir_item verifies name_len of dir_item with fixed
    values but not item boundary.
    If corrupted name_len was not bigger than the fixed value, for example
    255, the function will think the dir_item is fine. And then reading
    beyond boundary will cause crash.
    
    Example:
    	1. Corrupt one dir_item name_len to be 255.
            2. Run 'ls -lar /mnt/test/ > /dev/null'
    dmesg:
    [   48.451449] BTRFS info (device vdb1): disk space caching is enabled
    [   48.451453] BTRFS info (device vdb1): has skinny extents
    [   48.489420] general protection fault: 0000 [#1] SMP
    [   48.489571] Modules linked in: ext4 jbd2 mbcache btrfs xor raid6_pq
    [   48.489716] CPU: 1 PID: 2710 Comm: ls Not tainted 4.10.0-rc1 #5
    [   48.489853] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
    [   48.490008] task: ffff880035df1bc0 task.stack: ffffc90004800000
    [   48.490008] RIP: 0010:read_extent_buffer+0xd2/0x190 [btrfs]
    [   48.490008] RSP: 0018:ffffc90004803d98 EFLAGS: 00010202
    [   48.490008] RAX: 000000000000001b RBX: 000000000000001b RCX: 0000000000000000
    [   48.490008] RDX: ffff880079dbf36c RSI: 0005080000000000 RDI: ffff880079dbf368
    [   48.490008] RBP: ffffc90004803dc8 R08: ffff880078e8cc48 R09: ffff880000000000
    [   48.490008] R10: 0000160000000000 R11: 0000000000001000 R12: ffff880079dbf288
    [   48.490008] R13: ffff880078e8ca88 R14: 0000000000000003 R15: ffffc90004803e20
    [   48.490008] FS:  00007fef50c60800(0000) GS:ffff88007d400000(0000) knlGS:0000000000000000
    [   48.490008] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   48.490008] CR2: 000055f335ac2ff8 CR3: 000000007356d000 CR4: 00000000001406e0
    [   48.490008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [   48.490008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [   48.490008] Call Trace:
    [   48.490008]  btrfs_real_readdir+0x3b7/0x4a0 [btrfs]
    [   48.490008]  iterate_dir+0x181/0x1b0
    [   48.490008]  SyS_getdents+0xa7/0x150
    [   48.490008]  ? fillonedir+0x150/0x150
    [   48.490008]  entry_SYSCALL_64_fastpath+0x18/0xad
    [   48.490008] RIP: 0033:0x7fef5032546b
    [   48.490008] RSP: 002b:00007ffeafcdb830 EFLAGS: 00000206 ORIG_RAX: 000000000000004e
    [   48.490008] RAX: ffffffffffffffda RBX: 00007fef5061db38 RCX: 00007fef5032546b
    [   48.490008] RDX: 0000000000008000 RSI: 000055f335abaff0 RDI: 0000000000000003
    [   48.490008] RBP: 00007fef5061dae0 R08: 00007fef5061db48 R09: 0000000000000000
    [   48.490008] R10: 000055f335abafc0 R11: 0000000000000206 R12: 00007fef5061db38
    [   48.490008] R13: 0000000000008040 R14: 00007fef5061db38 R15: 000000000000270e
    [   48.490008] RIP: read_extent_buffer+0xd2/0x190 [btrfs] RSP: ffffc90004803d98
    [   48.499455] ---[ end trace 321920d8e8339505 ]---
    
    Fix it by adding a parameter @slot and check name_len with item boundary
    by calling btrfs_is_name_len_valid.
    Signed-off-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
    rev
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    e79a3327
dir-item.c 14.7 KB