btrfs-progs: fsck: Check drop level before walking through fs tree

Exposed by fuzzed image from Lukas, which contains invalid drop level (16), causing segfault when accessing path->nodes[drop_level]. This patch will check drop level against fs tree level and BTRFS_MAX_LEVEL to avoid such problem. Reported-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> Signed-off-by: David Sterba <dsterba@suse.com>
author: Qu Wenruo <quwenruo@cn.fujitsu.com> 2016-08-30 15:22:13 +0800
committer: David Sterba <dsterba@suse.com> 2016-09-05 10:04:32 +0200
commit: 0d2c2d480918eb2b939ebcc6057548d4d808d829 (patch)
tree: e455492dde51bcb7977780962f8b8e4873074089
parent: ba23b7679fb85e55cb28239e65a58a4f47e9f739 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/cmds-check.c b/cmds-check.c
index 1e1f7c9d..2aa0a7bf 100644
--- a/cmds-check.c
+++ b/cmds-check.c
@@ -3742,6 +3742,11 @@ static int check_fs_root(struct btrfs_root *root,
 		btrfs_disk_key_to_cpu(&key, &root_item->drop_progress);
 		level = root_item->drop_level;
 		path.lowest_level = level;
+		if (level > btrfs_header_level(root->node) ||
+		    level >= BTRFS_MAX_LEVEL) {
+			error("ignoring invalid drop level: %u", level);
+			goto skip_walking;
+		}
 		wret = btrfs_search_slot(NULL, root, &key, &path, 0, 0);
 		if (wret < 0)
 			goto skip_walking;
author	Qu Wenruo <quwenruo@cn.fujitsu.com>	2016-08-30 15:22:13 +0800
committer	David Sterba <dsterba@suse.com>	2016-09-05 10:04:32 +0200
commit	0d2c2d480918eb2b939ebcc6057548d4d808d829 (patch)
tree	e455492dde51bcb7977780962f8b8e4873074089
parent	ba23b7679fb85e55cb28239e65a58a4f47e9f739 (diff)