| From: Qu Wenruo <quwenruo.btrfs@gmx.com> |
| Date: Wed, 23 Aug 2017 16:57:57 +0900 |
| Subject: btrfs: Check if item pointer overlaps with the item itself |
| |
| commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream. |
| |
| Function check_leaf() checks if any item pointer points outside of the |
| leaf, but it doesn't check if the pointer overlaps with the item itself. |
| |
| Normally only the last item may be the victim, but adding such check is |
| never a bad idea anyway. |
| |
| Signed-off-by: Qu Wenruo <quwenruo.btrfs@gmx.com> |
| Reviewed-by: Nikolay Borisov <nborisov@suse.com> |
| Reviewed-by: David Sterba <dsterba@suse.com> |
| Signed-off-by: David Sterba <dsterba@suse.com> |
| Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/btrfs/disk-io.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/fs/btrfs/disk-io.c |
| +++ b/fs/btrfs/disk-io.c |
| @@ -606,6 +606,13 @@ static noinline int check_leaf(struct bt |
| return -EUCLEAN; |
| } |
| |
| + /* Also check if the item pointer overlaps with btrfs item. */ |
| + if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > |
| + btrfs_item_ptr_offset(leaf, slot)) { |
| + CORRUPT("slot overlap with its data", leaf, root, slot); |
| + return -EUCLEAN; |
| + } |
| + |
| prev_key.objectid = key.objectid; |
| prev_key.type = key.type; |
| prev_key.offset = key.offset; |
