From patchwork Wed Aug 31 04:35:51 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "jeff.liu" X-Patchwork-Id: 1114962 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p7V4aGRa022526 for ; Wed, 31 Aug 2011 04:36:17 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751342Ab1HaEgH (ORCPT ); Wed, 31 Aug 2011 00:36:07 -0400 Received: from acsinet15.oracle.com ([141.146.126.227]:52740 "EHLO acsinet15.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750958Ab1HaEgG (ORCPT ); Wed, 31 Aug 2011 00:36:06 -0400 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p7V4a25I024003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 31 Aug 2011 04:36:04 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p7V4a1hp021963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 31 Aug 2011 04:36:02 GMT Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p7V4ZuOq006019 for ; Tue, 30 Aug 2011 23:35:56 -0500 Received: from [192.168.1.103] (/221.223.117.21) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Aug 2011 21:35:56 -0700 Message-ID: <4E5DBA27.90002@oracle.com> Date: Wed, 31 Aug 2011 12:35:51 +0800 From: Jeff Liu Reply-To: jeff.liu@oracle.com Organization: Oracle User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: linux-btrfs@vger.kernel.org CC: chris.mason@oracle.com Subject: [PATCH] Btrfs-progs: specify label length larger than 255 bytes cause mkfs.btrfs buffer overflow X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Auth-Type: Internal IP X-CT-RefId: str=0001.0A090207.4E5DBA34.0103:SCFMA922111, ss=1, re=-4.000, fgs=0 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Wed, 31 Aug 2011 04:36:17 +0000 (UTC) Hello, While going through the mkfs.c, I noticed there is an issue for label length checking, mkfs.btrfs will crashed if the label length exceeding 255 bytes, it's easy to triggered that out as below: jeff@pibroch:~/opensource/btrfs-progs$ sudo ./mkfs.btrfs -L `perl -e 'print "A"x256'` /usr/src/linux-3.0/img0 WARNING! - Btrfs v0.19-35-g1b444cd IS EXPERIMENTAL WARNING! - see http://btrfs.wiki.kernel.org before using *** buffer overflow detected ***: ./mkfs.btrfs terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0xb7774df0] /lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0xb7773cca] /lib/i386-linux-gnu/libc.so.6(__strcpy_chk+0x3f)[0xb777305f] ./mkfs.btrfs[0x805acc4] ./mkfs.btrfs[0x805def6] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xb76a5e37] ./mkfs.btrfs[0x8048ef1] ======= Memory map: ======== ...... a tiny patch could fix it. Signed-off-by: Jie Liu --- mkfs.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mkfs.c b/mkfs.c index 2e99b95..1598aae 100644 --- a/mkfs.c +++ b/mkfs.c @@ -308,9 +308,9 @@ static char *parse_label(char *input) int i; int len = strlen(input); - if (len > BTRFS_LABEL_SIZE) { + if (len >= BTRFS_LABEL_SIZE) { fprintf(stderr, "Label %s is too long (max %d)\n", input, - BTRFS_LABEL_SIZE); + BTRFS_LABEL_SIZE - 1); exit(1); } for (i = 0; i < len; i++) {