On Thu, May 14, 2015 at 11:06:24AM +0800, Qu Wenruo wrote: > Add the following tree_block check to avoid memory corruption or hostile > image: > 1) Check level. > Level >= BTRFS_MAX_LEVEL won't be read out. > > 2) Nritems. > For nritems == 0 or nr_items > max_nritems, the tree_block won't be read > out. > Max nritems is calculated in a easy method. > For node, it's straightforward, just (nodesize - header size) / > (btrfs_key_ptr) > For leaf, (nodesize - header size) / (btrfs_item), assume btrfs support > item size == 0; > > This fixes 3 kernel bugs: BZ#97171, BZ#97191, BZ#97271. > > Reported-by: Lukas Lueg <lukas.lueg@xxxxxxxxx> > Signed-off-by: Qu Wenruo <quwenruo@xxxxxxxxxxxxxx> The test 001-bad-file-extent-bytenr fails with this patch (and passes otherwise). Can you please have a look? -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
