From: Qu Wenruo <quwenruo@cn.fujitsu.com>
Date: Tue, 30 Aug 2016 07:22:13 +0000 (+0800)
Subject: btrfs-progs: fsck: Check drop level before walking through fs tree
X-Git-Tag: upstream/4.16.1~1336
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0d2c2d480918eb2b939ebcc6057548d4d808d829;p=platform%2Fupstream%2Fbtrfs-progs.git

btrfs-progs: fsck: Check drop level before walking through fs tree

Exposed by fuzzed image from Lukas, which contains invalid drop level
(16), causing segfault when accessing path->nodes[drop_level].

This patch will check drop level against fs tree level and
BTRFS_MAX_LEVEL to avoid such problem.

Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
---

diff --git a/cmds-check.c b/cmds-check.c
index 1e1f7c9..2aa0a7b 100644
--- a/cmds-check.c
+++ b/cmds-check.c
@@ -3742,6 +3742,11 @@ static int check_fs_root(struct btrfs_root *root,
 		btrfs_disk_key_to_cpu(&key, &root_item->drop_progress);
 		level = root_item->drop_level;
 		path.lowest_level = level;
+		if (level > btrfs_header_level(root->node) ||
+		    level >= BTRFS_MAX_LEVEL) {
+			error("ignoring invalid drop level: %u", level);
+			goto skip_walking;
+		}
 		wret = btrfs_search_slot(NULL, root, &key, &path, 0, 0);
 		if (wret < 0)
 			goto skip_walking;