From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> For AG btree types, make sure that each record's length is not so huge that integer wraparound would happen. Found via xfs/358 fuzzing recs[1].blockcount = ones. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Reviewed-by: Christoph Hellwig <hch@xxxxxx> --- repair/scan.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/repair/scan.c b/repair/scan.c index 5c8d8b23..1ddb5763 100644 --- a/repair/scan.c +++ b/repair/scan.c @@ -684,7 +684,8 @@ _("%s freespace btree block claimed (state %d), agno %d, bno %d, suspect %d\n"), b, i, name, agno, bno); continue; } - if (len == 0 || !verify_agbno(mp, agno, end - 1)) { + if (len == 0 || end <= b || + !verify_agbno(mp, agno, end - 1)) { do_warn( _("invalid length %u in record %u of %s btree block %u/%u\n"), len, i, name, agno, bno); @@ -1066,7 +1067,8 @@ _("%s rmap btree block claimed (state %d), agno %d, bno %d, suspect %d\n"), b, i, name, agno, bno); continue; } - if (len == 0 || !verify_agbno(mp, agno, end - 1)) { + if (len == 0 || end <= b || + !verify_agbno(mp, agno, end - 1)) { do_warn( _("invalid length %u in record %u of %s btree block %u/%u\n"), len, i, name, agno, bno); @@ -1353,7 +1355,8 @@ _("leftover CoW extent has invalid startblock in record %u of %s btree block %u/ b, i, name, agno, bno); continue; } - if (len == 0 || !verify_agbno(mp, agno, end - 1)) { + if (len == 0 || end <= agb || + !verify_agbno(mp, agno, end - 1)) { do_warn( _("invalid length %u in record %u of %s btree block %u/%u\n"), len, i, name, agno, bno);