From patchwork Tue Aug 22 07:37:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 9914341 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C03A3600C5 for ; Tue, 22 Aug 2017 07:38:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B072F287E2 for ; Tue, 22 Aug 2017 07:38:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A266F28809; Tue, 22 Aug 2017 07:38:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3242428809 for ; Tue, 22 Aug 2017 07:38:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754725AbdHVHhc (ORCPT ); Tue, 22 Aug 2017 03:37:32 -0400 Received: from mout.gmx.net ([212.227.15.19]:53418 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754711AbdHVHh3 (ORCPT ); Tue, 22 Aug 2017 03:37:29 -0400 Received: from localhost.localdomain ([45.32.39.184]) by mail.gmx.com (mrgmx001 [212.227.17.184]) with ESMTPSA (Nemesis) id 0M4nt7-1dMRvF1Vcr-00z2gp; Tue, 22 Aug 2017 09:37:25 +0200 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Cc: dsterba@suse.cz Subject: [PATCH 2/3] btrfs: Check if item pointer overlap with item itself Date: Tue, 22 Aug 2017 16:37:16 +0900 Message-Id: <20170822073717.13081-3-quwenruo.btrfs@gmx.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170822073717.13081-1-quwenruo.btrfs@gmx.com> References: <20170822073717.13081-1-quwenruo.btrfs@gmx.com> X-Provags-ID: V03:K0:w4Amf+3dVLbYlm2KXDj3EfZ7buIHmP4Z2UjbyClgJeLUl3A5uXG nnhIIhBlrMe8JX2Z29WHmMn4KBw8IDwDiDUhfgLCKYAatoyRoXZYFaGjJbarl/G+IdMw8/P AIDh79jKaS8hYxbn7wme+NGnKg7jH/At13jqPZlCDeUlXKiq2UaYFvQErnz4foJVJxMlK0u 8c+ifwVAt3TsjPz3Nd0DQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:g5A2H4MlPBs=:VkjI+tGaRc1vIcqqStiFhh PoaDwVmwPFCHSvb8orEKLVd8s6Us9s2a0DotnVBlODJ68iGpyw2rwd/3k7YvUr5j65/J1xXNm TTsYFqXat0PZE/5fog3opaiPgNvu10EGcDFD8vQLtjtCQ842KvF8TQc/5PCYLB3fzYKerXFkE Y5cDYykdESKEUYv/PeIc6qa5aftTfKgNk4jqITb+qi/uFTubZqPAvPXWUPqtlmbix1+J0xeU1 8yn1UPR31TZ1DW3MEl6Z5rWAfj9DpjkzBWvtEaUOs0VhZfpwT6AMRjIpiJCcDQvl6kXcs/1bu OTZrr0tqxJEzGqe5MB0C6Mp6lK1QPWjfWPhdVwQ6PNWppEs5IeKLmtPeVfkqwxa7FNOFBzbO+ JRYSlyjnmXHPEXmqnDfTnObtvPpmN2uAxFU9eWHOV+DYzgigwcwBPZNjdcM8y8UJXSKWF1HK7 H+3lCRqGGib17dkmuh3b2AHr+rbKbGDDJ6i938it5zIEE0/Iz5DEUNk2H6XH0OLav0iumfyrZ K/QAfS3Y6dddS2ufbpUkO4Jg7qLNHuucAHuEuA8AT5+N8cj4T+1J96/b3bWf9LoYZYs+gJSh+ zPfhrR4M91l/9RRYShPeBxCqhpj9fPie/TOF+fr5e49FmJa+lQESz4fairF7/kxStyqnIp5VC QKqjyDgFYJj3ydRbYGLyjIBiB0jb0GRkS4z9sXOrQHfdn9ox36eN1UtR3uATgjzQPyYZcenG8 g5juzzL4Z0QpP/3K96wkQICKuIKTqX5ITkSAuIy3aWm6tYSXiJsG1pPtADqYgGONg9V+rWbjs a1ix+HZ6bdk1+XY1rytyoMpOMALoA== Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Function check_leaf() checks if any item pointer points outside of the leaf, but it doesn't check if the pointer overlap with the item itself. Normally only the last item may be the victim, but add such check is never a bad idea anyway. Signed-off-by: Qu Wenruo --- fs/btrfs/disk-io.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 919ddd4b774c..59ee7b959bf0 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -643,6 +643,13 @@ static noinline int check_leaf(struct btrfs_root *root, return -EIO; } + /* Also check if the item pointer overlaps with btrfs item. */ + if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > + btrfs_item_ptr_offset(leaf, slot)) { + CORRUPT("slot overlap with its data", leaf, root, slot); + return -EIO; + } + prev_key.objectid = key.objectid; prev_key.type = key.type; prev_key.offset = key.offset;