From patchwork Tue Jun 18 21:41:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex ThreeD X-Patchwork-Id: 1949496 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=DEv0Eohg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (unknown [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W3gFN0p5sz20XW for ; Wed, 19 Jun 2024 07:41:59 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E36A788307; Tue, 18 Jun 2024 23:41:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="DEv0Eohg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4D1128839A; Tue, 18 Jun 2024 23:41:46 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5383E8644E for ; Tue, 18 Jun 2024 23:41:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=alexthreed@gmail.com Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-52c89d6b4adso5337347e87.3 for ; Tue, 18 Jun 2024 14:41:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718746903; x=1719351703; darn=lists.denx.de; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=g7k9BtTdjjzYpnnwqSx7jrcx8gt24jwN3T2Nm2RyPXk=; b=DEv0EohglAOVvcchZX560FsU5S0DedS6Pa6hS36D7zqytagZLwL7+1CHjlN1D0yECC CD7KVJf4QgJHLvEkjQ7uc/zpmWcLjTq70ZXjK5EQu6vt9Y09gG0zmNTnxi+vX7+7i0/5 353SUkT3zO0PU/qcbNgqvYZuZ/d3o5lba1IhZQZ/5K8+UN/iGSEiecnopL0vIaQt+029 3CvRkED0PnSr4jT+9wytUM+KPUxh8CYCMB5NWskVz/BSyO9gW8PMQW0IfiR2pfcoIk5M O8P4PwpVpZg16zkXskEH+5DmpTzUYksfPC6lVqHVFed4VzsczYAQT1i8+18LYTzTKitO NWvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718746903; x=1719351703; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=g7k9BtTdjjzYpnnwqSx7jrcx8gt24jwN3T2Nm2RyPXk=; b=nHm0+CyAxTEW7lS2t7YlcFq/sIxbI7tXLK6mGZP0xKCcETTBR8m2QIyHkA0nnmeL5F lq/KilzLup0ko2RILdZJi4f7cyLY3qE/NzudFGnSoh5QpI3DOHXlYsO0zVhX3R2mALcI IlMitD1HayMuqBjsmCBuKlfcvj28kKgRE8sh+6czV01+nODf2ODVN+cFZqYBBsAKoOQd uZHUH79U3ZCtnd9e631pX6klMTJs2pCMX1EW7jakQJaXHdgcH7Y0j4qv9KH3lIQXnVzu yUd/zbiUdIvtWqBXRRRCCTx9MgVrVfxJ215GeGc/BZPmJ+oKJSyYf8Nl+ALMtuA2iOUz Ty4Q== X-Gm-Message-State: AOJu0YyjRetPDnT2ZfaEEibdUm0R5n5pHt5SQu1knVBip4C0OzS9rjDR vL+kQi0NorIVN9B9RBD0AFoGIoI9m+1UBZYGdmoopimEESUuEwRWOPQOmPQvmpQ= X-Google-Smtp-Source: AGHT+IHZIL1z+wb+CAL98GpzdKi7cSRa4vsKIH9HNf7wWoP+CFLLlitthxQAj+Z2W2WWXfiIVWb82w== X-Received: by 2002:a19:5e19:0:b0:52c:814b:3ac2 with SMTP id 2adb3069b0e04-52ccaaa8dcbmr356921e87.68.1718746902954; Tue, 18 Jun 2024 14:41:42 -0700 (PDT) Received: from alex3d.netup (team.netup.ru. [91.213.249.1]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52ca287263bsm1603006e87.165.2024.06.18.14.41.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Jun 2024 14:41:41 -0700 (PDT) From: Alex Shumsky To: u-boot@lists.denx.de Cc: Alex Shumsky , Dan Carpenter , =?utf-8?q?Marek_Beh=C3=BAn?= , Qu Wenruo , Tom Rini , linux-btrfs@vger.kernel.org Subject: [PATCH v2] fs: btrfs: fix out of bounds write Date: Wed, 19 Jun 2024 00:41:38 +0300 Message-Id: <20240618214138.3212175-1-alexthreed@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Fix btrfs_read/read_and_truncate_page write out of bounds of destination buffer. Old behavior break bootstd malloc'd buffers of exact file size. Previously this OOB write have not been noticed because distroboot usually read files into huge static memory areas. Signed-off-by: Alex Shumsky Fixes: e342718 ("fs: btrfs: Implement btrfs_file_read()") Reviewed-by: Qu Wenruo --- Changes in v2: - fix error path handling - add Fixes tag - use min3 fs/btrfs/inode.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 4691612eda..3998ffc2c8 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -640,7 +640,11 @@ static int read_and_truncate_page(struct btrfs_path *path, extent_type = btrfs_file_extent_type(leaf, fi); if (extent_type == BTRFS_FILE_EXTENT_INLINE) { ret = btrfs_read_extent_inline(path, fi, buf); - memcpy(dest, buf + page_off, min(page_len, ret)); + if (ret < 0) { + free(buf); + return ret; + } + memcpy(dest, buf + page_off, min3(page_len, ret, len)); free(buf); return len; } @@ -652,7 +656,7 @@ static int read_and_truncate_page(struct btrfs_path *path, free(buf); return ret; } - memcpy(dest, buf + page_off, page_len); + memcpy(dest, buf + page_off, min(page_len, len)); free(buf); return len; }