On Wed, Feb 17, 2021 at 09:04:34AM +0300, Dan Carpenter wrote:
> The problem is we're copying "inherit" from user space but we don't
> necessarily know that we're copying enough data for a 64 byte
> struct. Then the next problem is that "inherit" has a variable size
> array at the end, and we have to verify that array is the size we
> expected.
>
> Fixes: 6f72c7e20dba: ("Btrfs: add qgroup inheritance")
> Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
> ---
> Presumably only root can create snapshots.
Well, no. After first analysis there are some "interesting memory access
patterns" possible, with a crafted data in the inherit member.
> Anyway, I have not tested
> this fix. I believe it is correct, of course. But perhaps it's best
> to check.
Yeah I'll write a test also to see where exactly the issues are. Thanks
for the report/fix.
