Commit e64d0b15 authored by Quentin Casasnovas's avatar Quentin Casasnovas Committed by Kamal Mostafa

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

commit dd9ef135 upstream.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: default avatarQuentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.cz>
Signed-off-by: default avatarChris Mason <clm@fb.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent 774a162f
......@@ -991,7 +991,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
base = btrfs_item_ptr_offset(leaf, path->slots[0]);
while (cur_offset < item_size) {
extref = (struct btrfs_inode_extref *)base + cur_offset;
extref = (struct btrfs_inode_extref *)(base + cur_offset);
victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment