From patchwork Thu Apr 23 01:31:21 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qu Wenruo <quwenruo@cn.fujitsu.com>
X-Patchwork-Id: 6259431
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id F2E5F9F1C4
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Thu, 23 Apr 2015 01:33:53 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 294032042C
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Thu, 23 Apr 2015 01:33:53 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A5B1020376
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Thu, 23 Apr 2015 01:33:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752932AbbDWBdh (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Wed, 22 Apr 2015 21:33:37 -0400
Received: from cn.fujitsu.com ([59.151.112.132]:51747 "EHLO
	heian.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org
	with ESMTP id S1752522AbbDWBdh (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Wed, 22 Apr 2015 21:33:37 -0400
X-IronPort-AV: E=Sophos;i="5.04,848,1406563200"; d="scan'208";a="91097714"
Received: from localhost (HELO edo.cn.fujitsu.com) ([10.167.33.5])
	by heian.cn.fujitsu.com with ESMTP; 23 Apr 2015 09:29:32 +0800
Received: from G08CNEXCHPEKD02.g08.fujitsu.local (localhost.localdomain
	[127.0.0.1])
	by edo.cn.fujitsu.com (8.14.3/8.13.1) with ESMTP id t3N1W9k8030338;
	Thu, 23 Apr 2015 09:32:09 +0800
Received: from localhost.localdomain (10.167.226.33) by
	G08CNEXCHPEKD02.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP
	Server (TLS) id 14.3.181.6; Thu, 23 Apr 2015 09:33:22 +0800
From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
CC: <lukas.lueg@gmail.com>
Subject: [PATCH] btrfs: Check superblock csum type to avoid 0 division or
	array overflow.
Date: Thu, 23 Apr 2015 09:31:21 +0800
Message-ID: <1429752681-566-1-git-send-email-quwenruo@cn.fujitsu.com>
X-Mailer: git-send-email 2.3.5
MIME-Version: 1.0
X-Originating-IP: [10.167.226.33]
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Current btrfs only support CRC32 checksum, and if csum_type is 1, we
will get 0 csum size, causing 0 division later destroy the whole kernel.
Or csum_type is later than 1, we will get data from other random memory
causing more problem.

So check csum_type in btrfs_check_super_valid() to avoid such hostile
attack.

Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
 fs/btrfs/ctree.h   | 1 +
 fs/btrfs/disk-io.c | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index f9c89ca..d6f3aa0 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -173,6 +173,7 @@ struct btrfs_ordered_sum;
 
 /* csum types */
 #define BTRFS_CSUM_TYPE_CRC32	0
+#define BTRFS_CSUM_LAST_TYPE	0
 
 static int btrfs_csum_sizes[] = { 4, 0 };
 
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 639f266..8687ab5 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3885,6 +3885,13 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
 		ret = -EINVAL;
 	}
 
+	/* Also check csum type, to avoid 0 csum_size */
+	if (btrfs_super_csum_type(sb) > BTRFS_CSUM_LAST_TYPE) {
+		printk(KERN_ERR "BTRFS: unsupported checksum type: %d\n",
+		       btrfs_super_csum_type(sb));
+		ret = -EINVAL;
+	}
+
 	if (memcmp(fs_info->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) {
 		printk(KERN_ERR "BTRFS: dev_item UUID does not match fsid: %pU != %pU\n",
 				fs_info->fsid, sb->dev_item.fsid);