• Nikolay Borisov's avatar
    btrfs: Fix out of bounds access in btrfs_search_slot · 9ea2c7c9
    Nikolay Borisov authored
    When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then
    the level variable is going to be 7 (this is the max height of the
    tree). On the other hand btrfs_cow_block is always called with
    "level + 1" as an index into the nodes and slots arrays. This leads to
    an out of bounds access. Admittdely this will be benign since an OOB
    access of the nodes array will likely read the 0th element from the
    slots array, which in this case is going to be 0 (since we start CoW at
    the top of the tree). The OOB access into the slots array in turn will
    read the 0th and 1st values of the locks array, which would both be 0
    at the time. However, this benign behavior relies on the fact that the
    path being passed hasn't been initialised, if it has already been used to
    query a btree then it could potentially have populated the nodes/slots arrays.
    
    Fix it by explicitly checking if we are at level 7 (the maximum allowed
    index in nodes/slots arrays) and explicitly call the CoW routine with
    NULL for parent's node/slot.
    Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
    Fixes-coverity-id: 711515
    Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    9ea2c7c9
ctree.c 153 KB