Commit 8a880bed authored May 21, 2024 by David Sterba Committed by Wang Zhaolong May 21, 2024

btrfs: send: handle path ref underflow in header iterate_inode_ref()

mainline inclusion
from mainline-v6.9-rc1
commit 3c6ee34c6f9cd12802326da26631232a61743501
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK
CVE: CVE-2024-35935

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c6ee34c6f9cd12802326da26631232a61743501



--------------------------------

Change BUG_ON to proper error handling if building the path buffer
fails. The pointers are not printed so we don't accidentally leak kernel
addresses.

Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>

parent 37e0a494

fs/btrfs/send.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -956,7 +956,15 @@ static int iterate_inode_ref(struct btrfs_root root, struct btrfs_path path,
		ret = PTR_ERR(start);
		goto out;
		}
		BUG_ON(start < p->buf);
		if (unlikely(start < p->buf)) {
		btrfs_err(root->fs_info,
		"send: path ref buffer underflow for key (%llu %u %llu)",
		found_key->objectid,
		found_key->type,
		found_key->offset);
		ret = -EINVAL;
		goto out;
		}
		}
		p->start = start;
		} else {