btrfs: Check name_len with boundary in verify dir_item
Originally, verify_dir_item verifies name_len of dir_item with fixed
values but not item boundary.
If corrupted name_len was not bigger than the fixed value, for example
255, the function will think the dir_item is fine. And then reading
beyond boundary will cause crash.
Example:
1. Corrupt one dir_item name_len to be 255.
2. Run 'ls -lar /mnt/test/ > /dev/null'
dmesg:
[ 48.451449] BTRFS info (device vdb1): disk space caching is enabled
[ 48.451453] BTRFS info (device vdb1): has skinny extents
[ 48.489420] general protection fault: 0000 [#1] SMP
[ 48.489571] Modules linked in: ext4 jbd2 mbcache btrfs xor raid6_pq
[ 48.489716] CPU: 1 PID: 2710 Comm: ls Not tainted 4.10.0-rc1 #5
[ 48.489853] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
[ 48.490008] task:
ffff880035df1bc0 task.stack:
ffffc90004800000
[ 48.490008] RIP: 0010:read_extent_buffer+0xd2/0x190 [btrfs]
[ 48.490008] RSP: 0018:
ffffc90004803d98 EFLAGS:
00010202
[ 48.490008] RAX:
000000000000001b RBX:
000000000000001b RCX:
0000000000000000
[ 48.490008] RDX:
ffff880079dbf36c RSI:
0005080000000000 RDI:
ffff880079dbf368
[ 48.490008] RBP:
ffffc90004803dc8 R08:
ffff880078e8cc48 R09:
ffff880000000000
[ 48.490008] R10:
0000160000000000 R11:
0000000000001000 R12:
ffff880079dbf288
[ 48.490008] R13:
ffff880078e8ca88 R14:
0000000000000003 R15:
ffffc90004803e20
[ 48.490008] FS:
00007fef50c60800(0000) GS:
ffff88007d400000(0000) knlGS:
0000000000000000
[ 48.490008] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 48.490008] CR2:
000055f335ac2ff8 CR3:
000000007356d000 CR4:
00000000001406e0
[ 48.490008] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 48.490008] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 48.490008] Call Trace:
[ 48.490008] btrfs_real_readdir+0x3b7/0x4a0 [btrfs]
[ 48.490008] iterate_dir+0x181/0x1b0
[ 48.490008] SyS_getdents+0xa7/0x150
[ 48.490008] ? fillonedir+0x150/0x150
[ 48.490008] entry_SYSCALL_64_fastpath+0x18/0xad
[ 48.490008] RIP: 0033:0x7fef5032546b
[ 48.490008] RSP: 002b:
00007ffeafcdb830 EFLAGS:
00000206 ORIG_RAX:
000000000000004e
[ 48.490008] RAX:
ffffffffffffffda RBX:
00007fef5061db38 RCX:
00007fef5032546b
[ 48.490008] RDX:
0000000000008000 RSI:
000055f335abaff0 RDI:
0000000000000003
[ 48.490008] RBP:
00007fef5061dae0 R08:
00007fef5061db48 R09:
0000000000000000
[ 48.490008] R10:
000055f335abafc0 R11:
0000000000000206 R12:
00007fef5061db38
[ 48.490008] R13:
0000000000008040 R14:
00007fef5061db38 R15:
000000000000270e
[ 48.490008] RIP: read_extent_buffer+0xd2/0x190 [btrfs] RSP:
ffffc90004803d98
[ 48.499455] ---[ end trace
321920d8e8339505 ]---
Fix it by adding a parameter @slot and check name_len with item boundary
by calling btrfs_is_name_len_valid.
Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
rev
Signed-off-by: David Sterba <dsterba@suse.com>
projects / platform / kernel / linux-rpi.git / commit