Commit 028a0a83 authored by Quentin Casasnovas's avatar Quentin Casasnovas Committed by Luis Henriques

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

commit dd9ef135 upstream.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: default avatarQuentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.cz>
Signed-off-by: default avatarChris Mason <clm@fb.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent f8da4b44
...@@ -1007,7 +1007,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans, ...@@ -1007,7 +1007,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
base = btrfs_item_ptr_offset(leaf, path->slots[0]); base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) { while (cur_offset < item_size) {
extref = (struct btrfs_inode_extref *)base + cur_offset; extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref); victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment