[PATCH openEuler-22.03-LTS-SP2] btrfs: send: handle path ref underflow in header iterate_inode_ref()
From: David Sterba <dsterba@suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index b081b61e97c8..9f28d235f611 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/7671 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/7671 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...
participants (2)
-
patchwork bot -
Wang Zhaolong