os/bluestore: fix out-of-bound access in bmap allocator.

author Igor Fedotov <ifedotov@suse.com>

Fri, 19 Apr 2019 12:43:07 +0000 (15:43 +0300)

committer Igor Fedotov <ifedotov@suse.com>

Wed, 24 Apr 2019 10:47:15 +0000 (13:47 +0300)
author Igor Fedotov <ifedotov@suse.com>
Fri, 19 Apr 2019 12:43:07 +0000 (15:43 +0300)
committer Igor Fedotov <ifedotov@suse.com>
Wed, 24 Apr 2019 10:47:15 +0000 (13:47 +0300)
diff --git a/src/os/bluestore/fastbmap_allocator_impl.cc b/src/os/bluestore/fastbmap_allocator_impl.cc

index f6369071baaa3b9faaba45fbd1b7f2649c5e4420..1dd491d11f927116637e1e624bf050b8f0148f04 100755 (executable)
--- a/src/os/bluestore/fastbmap_allocator_impl.cc
+++ b/src/os/bluestore/fastbmap_allocator_impl.cc
@@ -286,20 +286,22 @@ void AllocatorLevel01Loose::_mark_alloc_l0(int64_t l0_pos_start,
  
    int64_t pos = l0_pos_start;
    slot_t bits = (slot_t)1 << (l0_pos_start % d0);
-
-  while (pos < std::min(l0_pos_end, p2roundup<int64_t>(l0_pos_start, d0))) {
-    l0[pos / d0] &= ~bits;
+  slot_t* val_s = &l0[pos / d0];
+  int64_t pos_e = std::min(l0_pos_end, p2roundup<int64_t>(l0_pos_start + 1, d0));
+  while (pos < pos_e) {
+    (*val_s) &= ~bits;
      bits <<= 1;
      pos++;
    }
-
-  while (pos < std::min(l0_pos_end, p2align<int64_t>(l0_pos_end, d0))) {
-    l0[pos / d0] = all_slot_clear;
+  pos_e = std::min(l0_pos_end, p2align<int64_t>(l0_pos_end, d0));
+  while (pos < pos_e) {
+    *(++val_s) = all_slot_clear;
      pos += d0;
    }
    bits = 1;
+  ++val_s;
    while (pos < l0_pos_end) {
-    l0[pos / d0] &= ~bits;
+    (*val_s) &= ~bits;
      bits <<= 1;
      pos++;
    }
diff --git a/src/os/bluestore/fastbmap_allocator_impl.h b/src/os/bluestore/fastbmap_allocator_impl.h

index 98a78d4b0ca9c7bc984edd1d546778b4098fb885..4143f3d5d53f69fdd30f0a758631f1e73935a9bc 100755 (executable)
--- a/src/os/bluestore/fastbmap_allocator_impl.h
+++ b/src/os/bluestore/fastbmap_allocator_impl.h
@@ -337,24 +337,23 @@ protected:
  
      auto pos = l0_pos_start;
      slot_t bits = (slot_t)1 << (l0_pos_start % d0);
-    slot_t& val_s = l0[pos / d0];
+    slot_t* val_s = &l0[pos / d0];
      int64_t pos_e = std::min(l0_pos_end,
                               p2roundup<int64_t>(l0_pos_start + 1, d0));
      while (pos < pos_e) {
-      val_s |= bits;
+      *val_s |=  bits;
        bits <<= 1;
        pos++;
      }
      pos_e = std::min(l0_pos_end, p2align<int64_t>(l0_pos_end, d0));
-    auto idx = pos / d0;
      while (pos < pos_e) {
-      l0[idx++] = all_slot_set;
+      *(++val_s) = all_slot_set;
        pos += d0;
      }
      bits = 1;
-    uint64_t& val_e = l0[pos / d0];
+    ++val_s;
      while (pos < l0_pos_end) {
-      val_e |= bits;
+      *val_s |= bits;
        bits <<= 1;
        pos++;
      }
author	Igor Fedotov <ifedotov@suse.com>
	Fri, 19 Apr 2019 12:43:07 +0000 (15:43 +0300)
committer	Igor Fedotov <ifedotov@suse.com>
	Wed, 24 Apr 2019 10:47:15 +0000 (13:47 +0300)
src/os/bluestore/fastbmap_allocator_impl.cc		patch \| blob \| history
src/os/bluestore/fastbmap_allocator_impl.h		patch \| blob \| history