Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: N Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: N David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: N Chris Mason <clm@fb.com>

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: N Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: N David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: N Chris Mason <clm@fb.com>
dd9ef135 · Quentin Casasnovas · Chris Mason · 3a8b36f3 · dd9ef135
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/btrfs/tree-log.c fs/btrfs/tree-log.c +1 -1

未找到文件。
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);

 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);

 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);