From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date: Tue, 3 Mar 2015 15:31:38 +0000 (+0100)
Subject: Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
X-Git-Tag: v4.14-rc1~5744^2~11
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=dd9ef135e3542ffc621c4eb7f0091870ec7a1504;p=platform%2Fkernel%2Flinux-rpi.git

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Chris Mason <clm@fb.com>
---

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index f96996a1b70c..9a1c1711f360 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ again:
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
 
 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);
 
 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);