diff options
| author | Quentin Casasnovas <quentin.casasnovas@oracle.com> | 2015-03-03 10:31:38 -0500 |
|---|---|---|
| committer | Chris Mason <clm@fb.com> | 2015-03-05 20:28:33 -0500 |
| commit | dd9ef135e3542ffc621c4eb7f0091870ec7a1504 (patch) | |
| tree | 0ea14d6f3c7d20e5faa3845f54e1ffc28bc7a9c4 /fs | |
| parent | 3a8b36f378060d20062a0918e99fae39ff077bf0 (diff) | |
Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/btrfs/tree-log.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index f96996a1b70c..9a1c1711f360 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c | |||
| @@ -1012,7 +1012,7 @@ again: | |||
| 1012 | base = btrfs_item_ptr_offset(leaf, path->slots[0]); | 1012 | base = btrfs_item_ptr_offset(leaf, path->slots[0]); |
| 1013 | 1013 | ||
| 1014 | while (cur_offset < item_size) { | 1014 | while (cur_offset < item_size) { |
| 1015 | extref = (struct btrfs_inode_extref *)base + cur_offset; | 1015 | extref = (struct btrfs_inode_extref *)(base + cur_offset); |
| 1016 | 1016 | ||
| 1017 | victim_name_len = btrfs_inode_extref_name_len(leaf, extref); | 1017 | victim_name_len = btrfs_inode_extref_name_len(leaf, extref); |
| 1018 | 1018 | ||