Fix incorrect address reference in btrfs

We encountered a weird random kernel initrd unpacking error on btrfs
and finally found it was caused by incorrect address reference in range
check for type GRUB_BTRFS_EXTENT_REGULAR and the entire result is
unpredictable.

This is a quick fix to make the address reference to the
grub_btrfs_extent_data structure correctly, not the pointer variable
to it.

Any suggestions to this patch is welcome.

diff --git a/ChangeLog b/ChangeLog
index 572ee50d178a109f5f8912c125a8de2590b6300f..0676065783dbe8d29463fd7f4816c1cc14043c5c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-09-08  Michael Chang  <mchang@suse.com>
+
+       * grub-core/fs/btrfs.c (grub_btrfs_extent_read): Fix extent size
+       check; comparing &data->extent against addresses in the region it
+       points to is unpredictable.
+
 2014-09-07  Colin Watson  <cjwatson@ubuntu.com>
 
        Support grub-emu on x32 (ILP32 but with x86-64 instruction set)

diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index f7b6c1520371cb16c22ff9aae60f462d26223758..95a8fa6b3979555333459753ff44cac9d4c61e20 100644 (file)
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1051,7 +1051,7 @@ grub_btrfs_extent_read (struct grub_btrfs_data *data,
 
          data->extend = data->extstart + grub_le_to_cpu64 (data->extent->size);
          if (data->extent->type == GRUB_BTRFS_EXTENT_REGULAR
-             && (char *) &data->extent + elemsize
+             && (char *) data->extent + elemsize
              >= (char *) &data->extent->filled + sizeof (data->extent->filled))
            data->extend =
              data->extstart + grub_le_to_cpu64 (data->extent->filled);