xfs_repair: check for AG btree records that would wrap around

For AG btree types, make sure that each record's length is not so huge
that integer wraparound would happen.

Found via xfs/358 fuzzing recs[1].blockcount = ones.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

diff --git a/repair/scan.c b/repair/scan.c
index 5c8d8b23bfb4d78d3811a3841b082f01afda1402..1ddb57635e11fe8044bfd324a24a385ceda16e15 100644 (file)
--- a/repair/scan.c
+++ b/repair/scan.c
@@ -684,7 +684,8 @@ _("%s freespace btree block claimed (state %d), agno %d, bno %d, suspect %d\n"),
                                        b, i, name, agno, bno);
                                continue;
                        }
-                       if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+                       if (len == 0 || end <= b ||
+                           !verify_agbno(mp, agno, end - 1)) {
                                do_warn(
        _("invalid length %u in record %u of %s btree block %u/%u\n"),
                                        len, i, name, agno, bno);
@@ -1066,7 +1067,8 @@ _("%s rmap btree block claimed (state %d), agno %d, bno %d, suspect %d\n"),
                                        b, i, name, agno, bno);
                                continue;
                        }
-                       if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+                       if (len == 0 || end <= b ||
+                           !verify_agbno(mp, agno, end - 1)) {
                                do_warn(
        _("invalid length %u in record %u of %s btree block %u/%u\n"),
                                        len, i, name, agno, bno);
@@ -1353,7 +1355,8 @@ _("leftover CoW extent has invalid startblock in record %u of %s btree block %u/
                                        b, i, name, agno, bno);
                                continue;
                        }
-                       if (len == 0 || !verify_agbno(mp, agno, end - 1)) {
+                       if (len == 0 || end <= agb ||
+                           !verify_agbno(mp, agno, end - 1)) {
                                do_warn(
        _("invalid length %u in record %u of %s btree block %u/%u\n"),
                                        len, i, name, agno, bno);