From patchwork Thu Mar 17 10:47:19 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sterba X-Patchwork-Id: 8610031 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 560899F44D for ; Thu, 17 Mar 2016 10:48:00 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 46669202AE for ; Thu, 17 Mar 2016 10:47:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6489E2022A for ; Thu, 17 Mar 2016 10:47:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965702AbcCQKrs (ORCPT ); Thu, 17 Mar 2016 06:47:48 -0400 Received: from mx2.suse.de ([195.135.220.15]:45254 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932876AbcCQKrr (ORCPT ); Thu, 17 Mar 2016 06:47:47 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2FC67AB12 for ; Thu, 17 Mar 2016 10:47:45 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id 0178EDAB5D; Thu, 17 Mar 2016 11:47:20 +0100 (CET) From: David Sterba To: linux-btrfs@vger.kernel.org Cc: David Sterba Subject: [PATCH] btrfs-progs: subvol sync: fix memory corruption, undersized array Date: Thu, 17 Mar 2016 11:47:19 +0100 Message-Id: <1458211640-13106-1-git-send-email-dsterba@suse.com> X-Mailer: git-send-email 2.7.1 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The subvol sync command crashed randomly at the end with *** glibc detected *** btrfs: double free or corruption (out): 0x00000000006ab040 *** This is caused by running out of the ids array in case there are more than 128 subvolumes. The array is increased in steps but does not account the size of the item, so there was room for 1024 / 8 = 128 subvolume ids. Fixes: c9f885ec8963 ("btrfs-progs: subvol: let sync check only current deletions") Signed-off-by: David Sterba --- cmds-subvolume.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmds-subvolume.c b/cmds-subvolume.c index 02e1dec18ed2..32caaa5db9ec 100644 --- a/cmds-subvolume.c +++ b/cmds-subvolume.c @@ -1204,7 +1204,8 @@ static int enumerate_dead_subvols(int fd, u64 **ids) u64 *newids; count += SUBVOL_ID_BATCH; - newids = (u64*)realloc(*ids, count); + newids = (u64*)realloc(*ids, + count * sizeof(u64)); if (!newids) return -ENOMEM; *ids = newids;