diff mbox

Btrfs: Don't trust the superblock label and simply printk("%s") it

Message ID

1352121049-4140-1-git-send-email-sbehrens@giantdisaster.de (mailing list archive)

State

New, archived

Headers

show

From: Stefan Behrens <sbehrens@giantdisaster.de>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH] Btrfs: Don't trust the superblock label and simply
	printk("%s") it
Date: Mon,  5 Nov 2012 14:10:49 +0100
Message-Id: <1352121049-4140-1-git-send-email-sbehrens@giantdisaster.de>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk

Commit Message

Stefan Behrens Nov. 5, 2012, 1:10 p.m. UTC

Someone who is root or capable(CAP_SYS_ADMIN) could corrupt the
superblock and make Btrfs printk("%s") crash while holding the
uuid_mutex since nobody forces a limit on the string. Since the
uuid_mutex is significant, the system would be unusable
afterwards.

Signed-off-by: Stefan Behrens <sbehrens@giantdisaster.de>
---
 fs/btrfs/volumes.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

David Sterba Nov. 5, 2012, 3:28 p.m. UTC | #1

On Mon, Nov 05, 2012 at 02:10:49PM +0100, Stefan Behrens wrote:
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -764,10 +764,13 @@ int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
>  	devid = btrfs_stack_device_id(&disk_super->dev_item);
>  	transid = btrfs_super_generation(disk_super);
>  	total_devices = btrfs_super_num_devices(disk_super);
> -	if (disk_super->label[0])
> +	if (disk_super->label[0]) {
> +		if (disk_super->label[BTRFS_LABEL_SIZE - 1])
> +			disk_super->label[BTRFS_LABEL_SIZE - 1] = '\0';

The label set via 'btrfs fi label' will also set the last-1 byte to 0,
so this keeps it as expected, although it is silent.

thanks,
Reviewed-by: David Sterba <dsterba@suse.cz>

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff mbox

Patch

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index eeed97d..a429cc6 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -764,10 +764,13 @@  int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
 	devid = btrfs_stack_device_id(&disk_super->dev_item);
 	transid = btrfs_super_generation(disk_super);
 	total_devices = btrfs_super_num_devices(disk_super);
-	if (disk_super->label[0])
+	if (disk_super->label[0]) {
+		if (disk_super->label[BTRFS_LABEL_SIZE - 1])
+			disk_super->label[BTRFS_LABEL_SIZE - 1] = '\0';
 		printk(KERN_INFO "device label %s ", disk_super->label);
-	else
+	} else {
 		printk(KERN_INFO "device fsid %pU ", disk_super->fsid);
+	}
 	printk(KERN_CONT "devid %llu transid %llu %s\n",
 	       (unsigned long long)devid, (unsigned long long)transid, path);
 	ret = device_list_add(path, disk_super, devid, fs_devices_ret);