Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: Chris Mason <clm@fb.com>

Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
Improper arithmetics when calculting the address of the extended ref could lead to an out of bounds memory read and kernel panic. Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.cz> cc: stable@vger.kernel.org # v3.7+ Signed-off-by: Chris Mason <clm@fb.com>
dd9ef135 · Quentin Casasnovas · Chris Mason · 3a8b36f3 · dd9ef135
Commit dd9ef135 authored Mar 03, 2015 by Quentin Casasnovas Committed by Chris Mason Mar 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

fs/btrfs/tree-log.c fs/btrfs/tree-log.c +1 -1

No files found.
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1012,7 +1012,7 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);

 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);

 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);