diff options
author | Su Yue <l@damenly.su> | 2022-01-21 17:33:35 +0800 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2022-01-31 16:06:04 +0100 |
commit | ea1d1ca4025ac6c075709f549f9aa036b5b6597d (patch) | |
tree | 707813b8ac12b70259eb190128727e92ed8bbce7 /fs | |
parent | 0c982944af27d131d3b74242f3528169f66950ad (diff) | |
download | linux-ea1d1ca4025ac6c075709f549f9aa036b5b6597d.tar.bz2 |
btrfs: tree-checker: check item_size for dev_item
Check item size before accessing the device item to avoid out of bound
access, similar to inode_item check.
Signed-off-by: Su Yue <l@damenly.su>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/btrfs/tree-checker.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index a819eb5e264a..9fd145f1c4bc 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -965,6 +965,7 @@ static int check_dev_item(struct extent_buffer *leaf, struct btrfs_key *key, int slot) { struct btrfs_dev_item *ditem; + const u32 item_size = btrfs_item_size(leaf, slot); if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) { dev_item_err(leaf, slot, @@ -972,6 +973,13 @@ static int check_dev_item(struct extent_buffer *leaf, key->objectid, BTRFS_DEV_ITEMS_OBJECTID); return -EUCLEAN; } + + if (unlikely(item_size != sizeof(*ditem))) { + dev_item_err(leaf, slot, "invalid item size: has %u expect %zu", + item_size, sizeof(*ditem)); + return -EUCLEAN; + } + ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item); if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) { dev_item_err(leaf, slot, |