[PATCH openEuler-22.03-LTS] btrfs: send: handle path ref underflow in header iterate_inode_ref()

21 May 2024

From: David Sterba dsterba@suse.com
mainline inclusion
from mainline-v6.9-rc1
commit 3c6ee34c6f9cd12802326da26631232a61743501
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK
CVE: CVE-2024-35935
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Change BUG_ON to proper error handling if building the path buffer
fails. The pointers are not printed so we don't accidentally leak kernel
addresses.
Signed-off-by: David Sterba dsterba@suse.com
Signed-off-by: Wang Zhaolong wangzhaolong1@huawei.com
---
 fs/btrfs/send.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 6b80dee17f49..23981c31c35f 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path,
    				ret = PTR_ERR(start);
    				goto out;
    			}
-				BUG_ON(start < p->buf);
+				if (unlikely(start < p->buf)) {
+					btrfs_err(root->fs_info,
+			"send: path ref buffer underflow for key (%llu %u %llu)",
+						  found_key->objectid,
+						  found_key->type,
+						  found_key->offset);
+					ret = -EINVAL;
+					goto out;
+				}
    		}
    		p->start = start;
    	} else {
-- 
2.34.3


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-22.03-LTS] btrfs: send: handle path ref underflow in header iterate_inode_ref()