Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

commit dd9ef135 upstream. Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
commit dd9ef135 upstream. Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> Signed-off-by: Chris Mason <clm@fb.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
028a0a83 · Quentin Casasnovas · Luis Henriques · f8da4b44 · 028a0a83
Commit 028a0a83 authored Mar 03, 2015 by Quentin Casasnovas Committed by Luis Henriques Mar 18, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

fs/btrfs/tree-log.c fs/btrfs/tree-log.c +1 -1

No files found.
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1007,7 +1007,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);

 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);

 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);