[v2,1/2] btrfs-progs: dump-super: check array_size in print_sys_chunk_array

Commit Message

Lu Fengqi April 20, 2017, 8:07 a.m. UTC

Without validation of array_size, the dump-super may lead to a bad
memory access.

Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
---
v2:
	Accept David's advice, no longer use BTRFS_SUPER_INFO_SIZE instead of sizeof(*sb).
---
 cmds-inspect-dump-super.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Comments

David Sterba April 20, 2017, 11:52 a.m. UTC | #1

On Thu, Apr 20, 2017 at 04:07:56PM +0800, Lu Fengqi wrote:
> Without validation of array_size, the dump-super may lead to a bad
> memory access.
> 
> Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>

1-2 applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/cmds-inspect-dump-super.c b/cmds-inspect-dump-super.c
index ee2c8e3a..b65bd2d9 100644
--- a/cmds-inspect-dump-super.c
+++ b/cmds-inspect-dump-super.c
@@ -65,13 +65,20 @@  static void print_sys_chunk_array(struct btrfs_super_block *sb)
 	buf = malloc(sizeof(*buf) + sizeof(*sb));
 	if (!buf) {
 		error("not enough memory");
-		goto out;
+		return;
 	}
 	write_extent_buffer(buf, sb, 0, sizeof(*sb));
 	array_size = btrfs_super_sys_array_size(sb);
 
 	array_ptr = sb->sys_chunk_array;
 	sb_array_offset = offsetof(struct btrfs_super_block, sys_chunk_array);
+
+	if (array_size > BTRFS_SYSTEM_CHUNK_ARRAY_SIZE) {
+		error("sys_array_size %u shouldn't exceed %u bytes",
+				array_size, BTRFS_SYSTEM_CHUNK_ARRAY_SIZE);
+		goto out;
+	}
+
 	cur_offset = 0;
 	item = 0;
 
@@ -124,8 +131,8 @@  static void print_sys_chunk_array(struct btrfs_super_block *sb)
 		item++;
 	}
 
-	free(buf);
 out:
+	free(buf);
 	return;
 
 out_short_read: