btrfs: tree-checker: validate number of chunk stripes and parity
If there's no parity and num_stripes < ncopies, a crafted image can trigger a division by zero in calc_stripe_length(). The image was generated through fuzzing. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo <wqu@suse.com> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209587 Signed-off-by: Daniel Xu <dxu@dxuuu.xyz> Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
parent
cad69d1396
commit
85d07fbe09
@ -760,18 +760,36 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
|
||||
u64 type;
|
||||
u64 features;
|
||||
bool mixed = false;
|
||||
int raid_index;
|
||||
int nparity;
|
||||
int ncopies;
|
||||
|
||||
length = btrfs_chunk_length(leaf, chunk);
|
||||
stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
|
||||
num_stripes = btrfs_chunk_num_stripes(leaf, chunk);
|
||||
sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk);
|
||||
type = btrfs_chunk_type(leaf, chunk);
|
||||
raid_index = btrfs_bg_flags_to_raid_index(type);
|
||||
ncopies = btrfs_raid_array[raid_index].ncopies;
|
||||
nparity = btrfs_raid_array[raid_index].nparity;
|
||||
|
||||
if (!num_stripes) {
|
||||
chunk_err(leaf, chunk, logical,
|
||||
"invalid chunk num_stripes, have %u", num_stripes);
|
||||
return -EUCLEAN;
|
||||
}
|
||||
if (num_stripes < ncopies) {
|
||||
chunk_err(leaf, chunk, logical,
|
||||
"invalid chunk num_stripes < ncopies, have %u < %d",
|
||||
num_stripes, ncopies);
|
||||
return -EUCLEAN;
|
||||
}
|
||||
if (nparity && num_stripes == nparity) {
|
||||
chunk_err(leaf, chunk, logical,
|
||||
"invalid chunk num_stripes == nparity, have %u == %d",
|
||||
num_stripes, nparity);
|
||||
return -EUCLEAN;
|
||||
}
|
||||
if (!IS_ALIGNED(logical, fs_info->sectorsize)) {
|
||||
chunk_err(leaf, chunk, logical,
|
||||
"invalid chunk logical, have %llu should aligned to %u",
|
||||
|
Loading…
x
Reference in New Issue
Block a user