Skip to content

Commit

Permalink
btrfs: tree-checker: check item_size for dev_item
Browse files Browse the repository at this point in the history 
commit ea1d1ca upstream.

Check item size before accessing the device item to avoid out of bound
access, similar to inode_item check.

Signed-off-by: Su Yue <l@damenly.su>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@Damenly @gregkh
Damenly authored and gregkh committed Mar 2, 2022
1 parent 5c967dd commit 72a5b01
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions fs/btrfs/tree-checker.c
View file
Expand Up @@ -947,13 +947,21 @@ static int check_dev_item(struct extent_buffer *leaf,
struct btrfs_key *key, int slot)
{
struct btrfs_dev_item *ditem;
const u32 item_size = btrfs_item_size_nr(leaf, slot);

if (key->objectid != BTRFS_DEV_ITEMS_OBJECTID) {
dev_item_err(leaf, slot,
"invalid objectid: has=%llu expect=%llu",
key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
return -EUCLEAN;
}

if (unlikely(item_size != sizeof(*ditem))) {
dev_item_err(leaf, slot, "invalid item size: has %u expect %zu",
item_size, sizeof(*ditem));
return -EUCLEAN;
}

ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
if (btrfs_device_id(leaf, ditem) != key->offset) {
dev_item_err(leaf, slot,
Expand Down

0 comments on commit 72a5b01

Please sign in to comment.