• David Sterba's avatar
    btrfs: handle invalid num_stripes in sys_array · f5cdedd7
    David Sterba authored
    We can handle the special case of num_stripes == 0 directly inside
    btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
    catch other unhandled cases where we fail to validate external data.
    
    A crafted or corrupted image crashes at mount time:
    
    BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0
    BTRFS info (device loop0): disk space caching is enabled
    BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
    Kernel panic - not syncing: BUG!
    CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
    Stack:
     637af890 60062489 602aeb2e 604192ba
     60387961 00000011 637af8a0 6038a835
     637af9c0 6038776b 634ef32b 00000000
    Call Trace:
     [<6001c86d>] show_stack+0xfe/0x15b
     [<6038a835>] dump_stack+0x2a/0x2c
     [<6038776b>] panic+0x13e/0x2b3
     [<6020f099>] btrfs_read_sys_array+0x25d/0x2ff
     [<601cfbbe>] open_ctree+0x192d/0x27af
     [<6019c2c1>] btrfs_mount+0x8f5/0xb9a
     [<600bc9a7>] mount_fs+0x11/0xf3
     [<600d5167>] vfs_kern_mount+0x75/0x11a
     [<6019bcb0>] btrfs_mount+0x2e4/0xb9a
     [<600bc9a7>] mount_fs+0x11/0xf3
     [<600d5167>] vfs_kern_mount+0x75/0x11a
     [<600d710b>] do_mount+0xa35/0xbc9
     [<600d7557>] SyS_mount+0x95/0xc8
     [<6001e884>] handle_syscall+0x6b/0x8e
    Reported-by: default avatarJiri Slaby <jslaby@suse.com>
    Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
    CC: stable@vger.kernel.org	# 3.19+
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    f5cdedd7
volumes.c 181 KB