Commit e3540eab authored by David Sterba's avatar David Sterba Committed by Chris Mason

btrfs: add more checks to btrfs_read_sys_array

Verify that the sys_array has enough bytes to read the next item.
Signed-off-by: default avatarDavid Sterba <dsterba@suse.cz>
Signed-off-by: default avatarChris Mason <clm@fb.com>
parent 1ffb22cf
...@@ -6296,20 +6296,34 @@ int btrfs_read_sys_array(struct btrfs_root *root) ...@@ -6296,20 +6296,34 @@ int btrfs_read_sys_array(struct btrfs_root *root)
while (cur_offset < array_size) { while (cur_offset < array_size) {
disk_key = (struct btrfs_disk_key *)array_ptr; disk_key = (struct btrfs_disk_key *)array_ptr;
len = sizeof(*disk_key);
if (cur_offset + len > array_size)
goto out_short_read;
btrfs_disk_key_to_cpu(&key, disk_key); btrfs_disk_key_to_cpu(&key, disk_key);
len = sizeof(*disk_key);
array_ptr += len; array_ptr += len;
sb_array_offset += len; sb_array_offset += len;
cur_offset += len; cur_offset += len;
if (key.type == BTRFS_CHUNK_ITEM_KEY) { if (key.type == BTRFS_CHUNK_ITEM_KEY) {
chunk = (struct btrfs_chunk *)sb_array_offset; chunk = (struct btrfs_chunk *)sb_array_offset;
/*
* At least one btrfs_chunk with one stripe must be
* present, exact stripe count check comes afterwards
*/
len = btrfs_chunk_item_size(1);
if (cur_offset + len > array_size)
goto out_short_read;
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
len = btrfs_chunk_item_size(num_stripes);
if (cur_offset + len > array_size)
goto out_short_read;
ret = read_one_chunk(root, &key, sb, chunk); ret = read_one_chunk(root, &key, sb, chunk);
if (ret) if (ret)
break; break;
num_stripes = btrfs_chunk_num_stripes(sb, chunk);
len = btrfs_chunk_item_size(num_stripes);
} else { } else {
ret = -EIO; ret = -EIO;
break; break;
...@@ -6320,6 +6334,12 @@ int btrfs_read_sys_array(struct btrfs_root *root) ...@@ -6320,6 +6334,12 @@ int btrfs_read_sys_array(struct btrfs_root *root)
} }
free_extent_buffer(sb); free_extent_buffer(sb);
return ret; return ret;
out_short_read:
printk(KERN_ERR "BTRFS: sys_array too short to read %u bytes at offset %u\n",
len, cur_offset);
free_extent_buffer(sb);
return -EIO;
} }
int btrfs_read_chunk_tree(struct btrfs_root *root) int btrfs_read_chunk_tree(struct btrfs_root *root)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment