-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"btrfs send -p" fails if source and parent subvolumes are on different mountpoints (memory corruption) #96
Comments
Add additional bound checks to prevent memory corruption on incorrect usage of subvol_strip_mountpoint. Assert sane return value by properly comparing the mount point to the full_path before stripping it off. Mitigates issue: "btrfs send -p" fails if source and parent subvolumes are on different mountpoints (memory corruption): kdave#96 Note that this does not properly fix this bug, but prevents a possible security issue by unexpected usage of "btrfs send -p". Signed-off-by: Axel Burri <axel@tty0.ch>
Added pull request: #98 With the patch applied, the test above gives:
Still an error, but at least the memory corruption is gone. |
Add additional bound checks to prevent memory corruption on incorrect usage of subvol_strip_mountpoint. Assert sane return value by properly comparing the mount point to the full_path before stripping it off. Mitigates issue: "btrfs send -p" fails if source and parent subvolumes are on different mountpoints (memory corruption): #96 Note that this does not properly fix this bug, but prevents a possible security issue by unexpected usage of "btrfs send -p". Issue: #96 Pull-request: #98 Signed-off-by: Axel Burri <axel@tty0.ch> Signed-off-by: David Sterba <dsterba@suse.com>
Add testcase from issue, use reproducer from Axel Burri. Issue: #96 Signed-off-by: David Sterba <dsterba@suse.com>
I've created a testcase from the instruction you provided. Closing, thanks. |
Add additional bound checks to prevent memory corruption on incorrect usage of subvol_strip_mountpoint. Assert sane return value by properly comparing the mount point to the full_path before stripping it off. Mitigates issue: "btrfs send -p" fails if source and parent subvolumes are on different mountpoints (memory corruption): #96 Note that this does not properly fix this bug, but prevents a possible security issue by unexpected usage of "btrfs send -p". Issue: #96 Pull-request: #98 Signed-off-by: Axel Burri <axel@tty0.ch> Signed-off-by: David Sterba <dsterba@suse.com>
Add testcase from issue, use reproducer from Axel Burri. Issue: #96 Signed-off-by: David Sterba <dsterba@suse.com>
… as candidates for best common parent Dropped readin of subvolid and realpath by btrfs_subvolume_show(), we now always read /proc/self/mounts (and call readlink). When picking the best common parent in get_best_parent(), we want to list as many snapshots as possible. For now, we list all from the mountpoint of snaproot ($sroot/<snapshot_dir>), due to a bug in btrfs-progs [1]. Also added code (commented out) to list snapshots from all known mountpoints. [1] kdave/btrfs-progs#96
This workaround seems to have killed btrfs send for me completely. |
I was able to reproduce this, and added pull request #138 which fixes this problem. |
Allowed values for "incremental_resolve": - "mountpoint" (default): Use parents in the filesystem tree below mount points of source `<volume-directory>/<snapshot-dir>` and target `<target-directory>`. - "directory": Use parents strictly below source/target directories. Useful when restricting access, e.g. when using ssh_filter_btrbk.sh. - "_all_accessible" (experimental): Use parents from all mount points. Note that using "_all_accessible" causes btrfs-progs to fail: - btrfs send -p: "ERROR: not on mount point: /path/to/mountpoint" - btrfs receive: "ERROR: parent subvol is not reachable from inside the root subvol" see also: kdave/btrfs-progs#96
If source and parent subvolumes are on different mountpoints,
btrfs send -p <parent> <source>
fails with memory corruption.In cmds-send.c, it is wrongly assumed that source and parent share the same mountpoint [1], leading to subvol_strip_mountpoint() returning a char* pointer which can exceed the length of full_path (no bounds checking) [2].
[1] https://github.com/kdave/btrfs-progs/blob/v4.15/cmds-send.c#L657
[2] https://github.com/kdave/btrfs-progs/blob/v4.15/utils.c#L2490
Steps to reproduce:
The text was updated successfully, but these errors were encountered: