On Fri, May 22, 2015 at 09:01:23AM +0800, Qu Wenruo wrote: > Add the following tree block check to avoid memory corruption on hostile > image: > 1) Check level. > Level >= BTRFS_MAX_LEVEL won't be read out. > > 2) Nritems. > For nr_items > max_nritems, the tree_block won't be read out. > Max nritems is calculated in a easy method. > For node, it's straightforward, just (nodesize - header size) / > (btrfs_key_ptr) > For leaf, (nodesize - header size) / (btrfs_item), as btrfs support zero > item size > > This fixes 3 kernel bugs: BZ#97171, BZ#97191, BZ#97271. > > Reported-by: Lukas Lueg <lukas.lueg@xxxxxxxxx> > Signed-off-by: Qu Wenruo <quwenruo@xxxxxxxxxxxxxx> Applied, thanks. I've added image for the first bug, the other two do not pass inside our testing setup (check/repair/check) and fails to start, but the image restoration works at least. This would need some enhancements. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
