diff options
| author | David Sterba <dsterba@suse.cz> | 2014-10-31 12:18:08 -0400 |
|---|---|---|
| committer | Chris Mason <clm@fb.com> | 2015-02-02 22:20:39 -0500 |
| commit | 75d6ad382bb91f363452119d34238e156589ca2d (patch) | |
| tree | af278af23547c0d042af1da1fad1dd88292fdfc1 /fs | |
| parent | 9cc97d646216b6f2473fa4ab9f103514b86c6814 (diff) | |
btrfs: more superblock checks, lower bounds on devices and sectorsize/nodesize
I received a few crafted images from Jiri, all got through the recently
added superblock checks. The lower bounds checks for num_devices and
sector/node -sizes were missing and caused a crash during mount.
Tools for symbolic code execution were used to prepare the images
contents.
Reported-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/btrfs/disk-io.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 612d46eece62..11171362bd33 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c | |||
| @@ -3871,6 +3871,21 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info, | |||
| 3871 | printk(KERN_WARNING "BTRFS: log_root block unaligned: %llu\n", | 3871 | printk(KERN_WARNING "BTRFS: log_root block unaligned: %llu\n", |
| 3872 | btrfs_super_log_root(sb)); | 3872 | btrfs_super_log_root(sb)); |
| 3873 | 3873 | ||
| 3874 | /* | ||
| 3875 | * Check the lower bound, the alignment and other constraints are | ||
| 3876 | * checked later. | ||
| 3877 | */ | ||
| 3878 | if (btrfs_super_nodesize(sb) < 4096) { | ||
| 3879 | printk(KERN_ERR "BTRFS: nodesize too small: %u < 4096\n", | ||
| 3880 | btrfs_super_nodesize(sb)); | ||
| 3881 | ret = -EINVAL; | ||
| 3882 | } | ||
| 3883 | if (btrfs_super_sectorsize(sb) < 4096) { | ||
| 3884 | printk(KERN_ERR "BTRFS: sectorsize too small: %u < 4096\n", | ||
| 3885 | btrfs_super_sectorsize(sb)); | ||
| 3886 | ret = -EINVAL; | ||
| 3887 | } | ||
| 3888 | |||
| 3874 | if (memcmp(fs_info->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) { | 3889 | if (memcmp(fs_info->fsid, sb->dev_item.fsid, BTRFS_UUID_SIZE) != 0) { |
| 3875 | printk(KERN_ERR "BTRFS: dev_item UUID does not match fsid: %pU != %pU\n", | 3890 | printk(KERN_ERR "BTRFS: dev_item UUID does not match fsid: %pU != %pU\n", |
| 3876 | fs_info->fsid, sb->dev_item.fsid); | 3891 | fs_info->fsid, sb->dev_item.fsid); |
| @@ -3884,6 +3899,10 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info, | |||
| 3884 | if (btrfs_super_num_devices(sb) > (1UL << 31)) | 3899 | if (btrfs_super_num_devices(sb) > (1UL << 31)) |
| 3885 | printk(KERN_WARNING "BTRFS: suspicious number of devices: %llu\n", | 3900 | printk(KERN_WARNING "BTRFS: suspicious number of devices: %llu\n", |
| 3886 | btrfs_super_num_devices(sb)); | 3901 | btrfs_super_num_devices(sb)); |
| 3902 | if (btrfs_super_num_devices(sb) == 0) { | ||
| 3903 | printk(KERN_ERR "BTRFS: number of devices is 0\n"); | ||
| 3904 | ret = -EINVAL; | ||
| 3905 | } | ||
| 3887 | 3906 | ||
| 3888 | if (btrfs_super_bytenr(sb) != BTRFS_SUPER_INFO_OFFSET) { | 3907 | if (btrfs_super_bytenr(sb) != BTRFS_SUPER_INFO_OFFSET) { |
| 3889 | printk(KERN_ERR "BTRFS: super offset mismatch %llu != %u\n", | 3908 | printk(KERN_ERR "BTRFS: super offset mismatch %llu != %u\n", |