btrfs-progs: fsck: Check drop level before walking through fs tree

Exposed by fuzzed image from Lukas, which contains invalid drop level
(16), causing segfault when accessing path->nodes[drop_level].

This patch will check drop level against fs tree level and
BTRFS_MAX_LEVEL to avoid such problem.

Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/cmds-check.c b/cmds-check.c
index 1e1f7c9..2aa0a7b 100644 (file)
--- a/cmds-check.c
+++ b/cmds-check.c
@@ -3742,6 +3742,11 @@ static int check_fs_root(struct btrfs_root *root,
                btrfs_disk_key_to_cpu(&key, &root_item->drop_progress);
                level = root_item->drop_level;
                path.lowest_level = level;
+               if (level > btrfs_header_level(root->node) ||
+                   level >= BTRFS_MAX_LEVEL) {
+                       error("ignoring invalid drop level: %u", level);
+                       goto skip_walking;
+               }
                wret = btrfs_search_slot(NULL, root, &key, &path, 0, 0);
                if (wret < 0)
                        goto skip_walking;