When reading out name from inode_ref, dir_item, it's possible that
corrupted name_len leads to read beyond boundary.
Since there are already patches for btrfs-progs, this patchset is
for btrfs.
Introduce 'btrfs_is_name_len_valid' to make check name_len with
item boundary.
If read name from dir_item, use 'verify_dir_item' to do more strict
check. Otherwise, use 'btrfs_is_name_len_valid'.
It's unnessary to do check before every read/memcmp_extent_buffer name.
Checking name_len when read name for the first time in the call graph is
enough.
Changlog:
v2:
1.Change 'btrfs_check_namelen' to 'btrfs_is_namelen_valid'.
2.Split patches according call graph.
v3:
1.Add cases about BTRFS_ROOT_REF_KEY and BTRFS_ROOT_BACKREF_KEY.
2.Add more comments about how/where extent_buffer is to be read
for the first time.
3.Change 'namelen' to 'name_len' in function and changelog.
Su Yue (9):
btrfs: Introduce btrfs_is_name_len_valid to avoid reading beyond
boundary
btrfs: Check name_len with boundary in verify dir_item
btrfs: Check name_len on add_inode_ref call path
btrfs: Verify dir_item in replay_xattr_deletes
btrfs: Check name_len in btrfs_check_ref_name_override
btrfs: Check name_len before read in iterate_dir_item
btrfs: Check name_len before read in btrfs_get_name
btrfs: Check name_len before in btrfs_del_root_ref
btrfs: Verify dir_item in iterate_object_props
fs/btrfs/ctree.h | 4 ++-
fs/btrfs/dir-item.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++--
fs/btrfs/export.c | 5 ++++
fs/btrfs/inode.c | 2 +-
fs/btrfs/props.c | 7 +++++
fs/btrfs/root-tree.c | 7 +++++
fs/btrfs/send.c | 6 ++++
fs/btrfs/tree-log.c | 44 ++++++++++++++++++++-------
fs/btrfs/xattr.c | 2 +-
9 files changed, 146 insertions(+), 16 deletions(-)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
