| Message ID | 20170405085915.21791-1-lufq.fnst@cn.fujitsu.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Apr 05, 2017 at 04:59:14PM +0800, Lu Fengqi wrote: > Without validation of array_size, the dump-super may lead to a bad > memory access. > > Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com> > --- > cmds-inspect-dump-super.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > > diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c > index ee2c8e3a..48b5219c 100644 > --- a/cmds-inspect-dump-super.c > +++ b/cmds-inspect-dump-super.c > @@ -62,16 +62,23 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) > struct btrfs_key key; > int item; > > - buf = malloc(sizeof(*buf) + sizeof(*sb)); > + buf = malloc(sizeof(*buf) + BTRFS_SUPER_INFO_SIZE); This seems to be unnecessary, the super block structure should contain entier sys_array. > if (!buf) { > error("not enough memory"); > - goto out; > + return; > } > - write_extent_buffer(buf, sb, 0, sizeof(*sb)); > + write_extent_buffer(buf, sb, 0, BTRFS_SUPER_INFO_SIZE); > array_size = btrfs_super_sys_array_size(sb); > > array_ptr = sb->sys_chunk_array; > sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array); > + > + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) { > + error("sys_array_size %u shouldn't exceed %u bytes", > + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE); > + goto out; > + } > + > cur_offset = 0; > item = 0; > > @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) > item++; > } > > - free(buf); > out: > + free(buf); > return; > > out_short_read: > -- > 2.12.1 > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2017年04月19日 23:41, David Sterba wrote: >> >> - buf = malloc(sizeof(*buf) + sizeof(*sb)); >> + buf = malloc(sizeof(*buf) + BTRFS_SUPER_INFO_SIZE); > This seems to be unnecessary, the super block structure should contain > entier sys_array. > Alright, I will remove it.
diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c index ee2c8e3a..48b5219c 100644 --- a/cmds-inspect-dump-super.c +++ b/cmds-inspect-dump-super.c @@ -62,16 +62,23 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) struct btrfs_key key; int item; - buf = malloc(sizeof(*buf) + sizeof(*sb)); + buf = malloc(sizeof(*buf) + BTRFS_SUPER_INFO_SIZE); if (!buf) { error("not enough memory"); - goto out; + return; } - write_extent_buffer(buf, sb, 0, sizeof(*sb)); + write_extent_buffer(buf, sb, 0, BTRFS_SUPER_INFO_SIZE); array_size = btrfs_super_sys_array_size(sb); array_ptr = sb->sys_chunk_array; sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array); + + if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) { + error("sys_array_size %u shouldn't exceed %u bytes", + array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE); + goto out; + } + cur_offset = 0; item = 0; @@ -124,8 +131,8 @@ static void print_sys_chunk_array(struct btrfs_super_block *sb) item++; } - free(buf); out: + free(buf); return; out_short_read:
Without validation of array_size, the dump-super may lead to a bad memory access. Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com> --- cmds-inspect-dump-super.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)