diff --git a/0015-btrfs-progs-convert-fix-the-filename-output-when-rol.patch b/0015-btrfs-progs-convert-fix-the-filename-output-when-rol.patch new file mode 100644 index 0000000000000000000000000000000000000000..d978d54fcde1329e31792de7be5f9ca7aa583005 --- /dev/null +++ b/0015-btrfs-progs-convert-fix-the-filename-output-when-rol.patch @@ -0,0 +1,76 @@ +From a927cb1b0acc814a3a6d383dc32b781ecc567c85 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Mon, 15 Jul 2024 13:56:14 +0930 +Subject: [PATCH] btrfs-progs: convert: fix the filename output when rolling + back +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[BUG] +When rolling back a converted btrfs, the filename output is corrupted: + + $ btrfs-convert -r ~/test.img + btrfs-convert from btrfs-progs v6.9.2 + + Open filesystem for rollback: + Label: + UUID: df54baf3-c91e-4956-96f9-99413a857576 + Restoring from: ext2_saved0ƨy/image + ^^^ Corruption + Rollback succeeded + +[CAUSE] +The error is in how we handle the filename. In btrfs all our strings +are not '\0' terminated, but with explicit length. + +But in C, most strings are '\0' terminated, so after reading a filename +from btrfs, we need to manually terminate the string. + +However the code adding the terminating '\0' looks like this: + + /* Get the filename length. */ + name_len = btrfs_root_ref_name_len(path.nodes[0], root_ref_item); + + /* + * This should not happen, but as an extra handling for possible + * corrupted btrfs. + */ + if (name_len > sizeof(dir_name)) + name_len = sizeof(dir_name) - 1; + /* Got the real filename into our buffer. */ + read_extent_buffer(path.nodes[0], dir_name, (unsigned long)(root_ref_item + 1), name_len); + + /* Terminate the string. */ + dir_name[sizeof(dir_name) - 1] = 0; + +The problem is, the final termination is totally wrong, it always make +the last buffer char '\0', not using the @name_len we read before. + +[FIX] +Use @name_len to terminate the string, as we have already updated it to +handle buffer overflow, it can handle both the regular and corrupted +case. + +Fixes: dc29a5c51d63 ("btrfs-progs: convert: update default output") +Signed-off-by: Qu Wenruo +--- + convert/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/convert/main.c b/convert/main.c +index c9e50c0..9e93414 100644 +--- a/convert/main.c ++++ b/convert/main.c +@@ -1719,7 +1719,7 @@ static int do_rollback(const char *devname) + if (name_len > sizeof(dir_name)) + name_len = sizeof(dir_name) - 1; + read_extent_buffer(path.nodes[0], dir_name, (unsigned long)(root_ref_item + 1), name_len); +- dir_name[sizeof(dir_name) - 1] = 0; ++ dir_name[name_len] = 0; + + printf(" Restoring from: %s/%s\n", dir_name, image_name); + +-- +2.43.0 + diff --git a/btrfs-progs.spec b/btrfs-progs.spec index cc58ed91164d97dd9806bcbbca7748a2674050c5..b704dc24307918142772bb0fab79e385685bf02d 100644 --- a/btrfs-progs.spec +++ b/btrfs-progs.spec @@ -1,6 +1,6 @@ Name: btrfs-progs Version: 6.6.3 -Release: 14 +Release: 15 Summary: btrfs userspace programs License: GPLv2 and GPL+ and LGPL-2.1+ and GPL-3.0+ and LGPL-2.1 and MIT URL: https://btrfs.wiki.kernel.org/index.php/Main_Page @@ -20,6 +20,7 @@ Patch0011: 0011-btrfs-progs-convert-for-ext2-fix-possible-tree-check.patch Patch0012: 0012-btrfs-progs-convert-insert-a-dummy-inode-item-before.patch Patch0013: 0013-btrfs-progs-corrupt-block-fix-memory-leak-in-debug_c.patch Patch0014: 0014-btrfs-progs-image-fix-the-bug-that-filename-sanitiza.patch +Patch0015: 0015-btrfs-progs-convert-fix-the-filename-output-when-rol.patch BuildRequires: python3-devel >= 3.4 BuildRequires: libacl-devel, e2fsprogs-devel, libblkid-devel, libuuid-devel, zlib-devel, libzstd-devel, lzo-devel, systemd-devel @@ -85,6 +86,9 @@ make mandir=%{_mandir} bindir=%{_sbindir} libdir=%{_libdir} incdir=%{_includedir %{_mandir}/man8/*.gz %changelog +* Mon Oct 28 2024 liuh - 6.6.3-15 +- btrfs-progs: convert: fix the filename output when rolling back + * Tue Sep 10 2024 liuh - 6.6.3-14 - btrfs-progs: image: fix the bug that filename sanitization not working