From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
For AG btree types, make sure that each record's length is not so huge
that integer wraparound would happen.
Found via xfs/358 fuzzing recs[1].blockcount = ones.
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
---
repair/scan.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/repair/scan.c b/repair/scan.c
index 5c8d8b23..1ddb5763 100644
--- a/repair/scan.c
+++ b/repair/scan.c
@@ -684,7 +684,8 @@ _("%s freespace btree block claimed (state %d), agno %d, bno %d, suspect %d\n"),
b, i, name, agno, bno);
continue;
}
- if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+ if (len == 0 || end <= b ||
+ !verify_agbno(mp, agno, end - 1)) {
do_warn(
_("invalid length %u in record %u of %s btree block %u/%u\n"),
len, i, name, agno, bno);
@@ -1066,7 +1067,8 @@ _("%s rmap btree block claimed (state %d), agno %d, bno %d, suspect %d\n"),
b, i, name, agno, bno);
continue;
}
- if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+ if (len == 0 || end <= b ||
+ !verify_agbno(mp, agno, end - 1)) {
do_warn(
_("invalid length %u in record %u of %s btree block %u/%u\n"),
len, i, name, agno, bno);
@@ -1353,7 +1355,8 @@ _("leftover CoW extent has invalid startblock in record %u of %s btree block %u/
b, i, name, agno, bno);
continue;
}
- if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+ if (len == 0 || end <= agb ||
+ !verify_agbno(mp, agno, end - 1)) {
do_warn(
_("invalid length %u in record %u of %s btree block %u/%u\n"),
len, i, name, agno, bno);
