queue-3.16/btrfs-handle-invalid-num_stripes-in-sys_array.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: David Sterba <dsterba@suse.com>
 Date: Mon, 30 Nov 2015 17:27:06 +0100
 Subject: btrfs: handle invalid num_stripes in sys_array

 commit f5cdedd73fa71b74dcc42f2a11a5735d89ce7c4f upstream.

 We can handle the special case of num_stripes == 0 directly inside
 btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
 catch other unhandled cases where we fail to validate external data.

 A crafted or corrupted image crashes at mount time:

 BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0
 BTRFS info (device loop0): disk space caching is enabled
 BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
 Kernel panic - not syncing: BUG!
 CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
 Stack:
  637af890 60062489 602aeb2e 604192ba
  60387961 00000011 637af8a0 6038a835
  637af9c0 6038776b 634ef32b 00000000
 Call Trace:
  [<6001c86d>] show_stack+0xfe/0x15b
  [<6038a835>] dump_stack+0x2a/0x2c
  [<6038776b>] panic+0x13e/0x2b3
  [<6020f099>] btrfs_read_sys_array+0x25d/0x2ff
  [<601cfbbe>] open_ctree+0x192d/0x27af
  [<6019c2c1>] btrfs_mount+0x8f5/0xb9a
  [<600bc9a7>] mount_fs+0x11/0xf3
  [<600d5167>] vfs_kern_mount+0x75/0x11a
  [<6019bcb0>] btrfs_mount+0x2e4/0xb9a
  [<600bc9a7>] mount_fs+0x11/0xf3
  [<600d5167>] vfs_kern_mount+0x75/0x11a
  [<600d710b>] do_mount+0xa35/0xbc9
  [<600d7557>] SyS_mount+0x95/0xc8
  [<6001e884>] handle_syscall+0x6b/0x8e

 Reported-by: Jiri Slaby <jslaby@suse.com>
 Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
 Signed-off-by: David Sterba <dsterba@suse.com>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  fs/btrfs/volumes.c | 8 ++++++++
  1 file changed, 8 insertions(+)

 --- a/fs/btrfs/volumes.c
 +++ b/fs/btrfs/volumes.c
 @@ -6092,6 +6092,14 @@ int btrfs_read_sys_array(struct btrfs_ro
  				goto out_short_read;

  			num_stripes = btrfs_chunk_num_stripes(sb, chunk);
 +			if (!num_stripes) {
 +				printk(KERN_ERR
 +	    "BTRFS: invalid number of stripes %u in sys_array at offset %u\n",
 +					num_stripes, cur_offset);
 +				ret = -EIO;
 +				break;
 +			}
 +
  			len = btrfs_chunk_item_size(num_stripes);
  			if (cur_offset + len > array_size)
  				goto out_short_read;
	From: David Sterba <dsterba@suse.com>
	Date: Mon, 30 Nov 2015 17:27:06 +0100
	Subject: btrfs: handle invalid num_stripes in sys_array

	commit f5cdedd73fa71b74dcc42f2a11a5735d89ce7c4f upstream.

	We can handle the special case of num_stripes == 0 directly inside
	btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to
	catch other unhandled cases where we fail to validate external data.

	A crafted or corrupted image crashes at mount time:

	BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0
	BTRFS info (device loop0): disk space caching is enabled
	BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()!
	Kernel panic - not syncing: BUG!
	CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25
	Stack:
	637af890 60062489 602aeb2e 604192ba
	60387961 00000011 637af8a0 6038a835
	637af9c0 6038776b 634ef32b 00000000
	Call Trace:
	[<6001c86d>] show_stack+0xfe/0x15b
	[<6038a835>] dump_stack+0x2a/0x2c
	[<6038776b>] panic+0x13e/0x2b3
	[<6020f099>] btrfs_read_sys_array+0x25d/0x2ff
	[<601cfbbe>] open_ctree+0x192d/0x27af
	[<6019c2c1>] btrfs_mount+0x8f5/0xb9a
	[<600bc9a7>] mount_fs+0x11/0xf3
	[<600d5167>] vfs_kern_mount+0x75/0x11a
	[<6019bcb0>] btrfs_mount+0x2e4/0xb9a
	[<600bc9a7>] mount_fs+0x11/0xf3
	[<600d5167>] vfs_kern_mount+0x75/0x11a
	[<600d710b>] do_mount+0xa35/0xbc9
	[<600d7557>] SyS_mount+0x95/0xc8
	[<6001e884>] handle_syscall+0x6b/0x8e

	Reported-by: Jiri Slaby <jslaby@suse.com>
	Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
	Signed-off-by: David Sterba <dsterba@suse.com>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	fs/btrfs/volumes.c \| 8 ++++++++
	1 file changed, 8 insertions(+)

	--- a/fs/btrfs/volumes.c
	+++ b/fs/btrfs/volumes.c
	@@ -6092,6 +6092,14 @@ int btrfs_read_sys_array(struct btrfs_ro
	goto out_short_read;

	num_stripes = btrfs_chunk_num_stripes(sb, chunk);
	+ if (!num_stripes) {
	+ printk(KERN_ERR
	+ "BTRFS: invalid number of stripes %u in sys_array at offset %u\n",
	+ num_stripes, cur_offset);
	+ ret = -EIO;
	+ break;
	+ }
	+
	len = btrfs_chunk_item_size(num_stripes);
	if (cur_offset + len > array_size)
	goto out_short_read;