a2c6c59333
[BUG] There is a bug report that image dump taken by "btrfs-image -s" doesn't really sanitize the filenames: # truncates -s 1G source.raw # mkfs.btrfs -f source.raw # mount source.raw $mnt # touch $mnt/top_secret_filename # touch $mnt/secret_filename # umount $mnt # btrfs-image -s source.raw dump.img # string dump.img | grep filename top_secret_filename secret_filename top_secret_filename secret_filename top_secret_filename [CAUSE] Using above image to store the fs, and we got the following result in fs tree: item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 3 transid 7 size 68 nbytes 16384 block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 sequence 2 flags 0x0(none) item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 index 0 namelen 2 name: .. item 2 key (256 DIR_ITEM 439756795) itemoff 16062 itemsize 49 location key (257 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 19 name: top_secret_filename item 3 key (256 DIR_ITEM 693462946) itemoff 16017 itemsize 45 location key (258 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 15 name: secret_filename item 4 key (256 DIR_INDEX 2) itemoff 15968 itemsize 49 location key (257 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 19 name: top_secret_filename item 5 key (256 DIR_INDEX 3) itemoff 15923 itemsize 45 location key (258 INODE_ITEM 0) type FILE transid 7 data_len 0 name_len 15 name: secret_filename item 6 key (257 INODE_ITEM 0) itemoff 15763 itemsize 160 generation 7 transid 7 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) item 7 key (257 INODE_REF 256) itemoff 15734 itemsize 29 index 2 namelen 19 name: top_secret_filename item 8 key (258 INODE_ITEM 0) itemoff 15574 itemsize 160 generation 7 transid 7 size 0 nbytes 0 block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 sequence 1 flags 0x0(none) item 9 key (258 INODE_REF 256) itemoff 15549 itemsize 25 index 3 namelen 15 name: 1���'�gc*&R The result shows, only the last INODE_REF got sanitized, all the remaining are not touched at all. This is caused by how we sanitize the filenames: copy_buffer() |- memcpy(dst, src->data, src->len); | This means we copy the whole eb into our buffer already. | |- zero_items() |- sanitize_name() |- eb = alloc_dummy_eb(); |- memcpy(eb->data, src->data, src->len); | This means we generate a dummy eb with the same contents of | the source eb. | |- sanitize_dir_item(); | We override the dir item of the given item (specified by the | slot number) inside our dummy eb. | |- memcpy(dst, eb->data, eb->lem); The last one copy the dummy eb into our buffer, with only the slot corrupted. But when the whole work flow hits the next slot, we only corrupt the next slot, but still copy the whole dummy eb back to buffer. This means the previous slot would be overwritten by the old unsanitized data. Resulting only the last slot is corrupted. [FIX] Fix the bug by only copying back the corrupted item to the buffer. So that other slots won't be overwritten by unsanitized data. Reported-by: Andrea Gelmini <andrea.gelmini@gmail.com> Signed-off-by: Qu Wenruo <wqu@suse.com> |
||
---|---|---|
.github/workflows | ||
check | ||
ci | ||
cmds | ||
common | ||
config | ||
convert | ||
crypto | ||
Documentation | ||
image | ||
include | ||
kernel-lib | ||
kernel-shared | ||
libbtrfs | ||
libbtrfsutil | ||
mkfs | ||
tests | ||
tune | ||
.codespellrc | ||
.editorconfig | ||
.gitignore | ||
.readthedocs.yaml | ||
64-btrfs-dm.rules | ||
64-btrfs-zoned.rules | ||
autogen.sh | ||
btrfs-completion | ||
btrfs-corrupt-block.c | ||
btrfs-crc.c | ||
btrfs-debugfs | ||
btrfs-find-root.c | ||
btrfs-map-logical.c | ||
btrfs-sb-mod.c | ||
btrfs-select-super.c | ||
btrfs.c | ||
CHANGES | ||
configure.ac | ||
COPYING | ||
fsck.btrfs | ||
inject-error | ||
INSTALL | ||
Makefile | ||
Makefile.extrawarn | ||
Makefile.inc.in | ||
README.md | ||
show-blocks | ||
VERSION |
Btrfs-progs
Userspace utilities to manage btrfs filesystems. License: GPLv2.
Btrfs is a copy on write (COW) filesystem for Linux aimed at implementing advanced features while focusing on fault tolerance, repair and easy administration.
This repository hosts following utilities and also documentation:
- btrfs — the main administration tool (manual page)
- mkfs.btrfs — utility to create the filesystem (manual page)
- all-in-one binary in the busybox style with mkfs.btrfs, btrfs-image and other tools built-in (standalone tools)
- libbtrfsutil (LGPL v2.1) — C and python 3 bindings, see libbtrfsutil/README.md for more
- manual pages and documentation source published at btrfs.readthedocs.io (RTD)
See INSTALL for build instructions, tests/README.md for testing information and ci/README.md for CI information.
Release cycle
The major version releases are time-based and follow the cycle of the linux kernel releases. The cycle usually takes 2 months. A minor version releases may happen in the meantime if there are bug fixes or minor useful improvements queued.
The release tags are signed with a GPG key ID F2B4 1200 C54E FB30 380C 1756 C565 D5F9 D76D 583B
,
release tarballs are hosted at kernel.org.
See file CHANGES or changelogs on RTD.
Releases with changelog are also published at Github release page.
Static binaries
For each release there are static binaries of btrfs
and btrfs.box
provided.
These can be used in rescue environments and are built for x86_64
architecture (with maximum backward compatibility), inside the Github Actions
workflow.
The btrfs.box
is an all-in-one tool in the busybox
style, the functionality is determined by the binary names (either symlink,
hradlink or a file copy).
Feature compatibility
The btrfs-progs of version X.Y declare support of kernel features of the same version. New progs on old kernel are expected to work, limited only by features provided by the kernel.
Build compatibility
Build is supported on the GNU C library as the primary target, and on the musl libc.
The supported compilers are gcc (minimal version 4.8) and clang (minimal version 3.4).
Build tests are done on several distributions, see Github actions workflow.
Reporting bugs
There are several ways, each has its own specifics and audience that can give feedback or work on a fix. The following list is sorted in the order of preference:
- Github issue tracker
- to the mailing list linux-btrfs@vger.kernel.org -- (not required to subscribe), beware that the mail might get overlooked in other traffic
- IRC (irc.libera.chat #btrfs) -- good for discussions eg. if a bug is already known, but reports could miss developers' attention
- please don't use https://bugzilla.kernel.org for btrfs-progs bugs
Development
The development takes place in the mailing list (linux-btrfs@vger.kernel.org) or at Github (issues, pull requests). Changes should be split to logical parts if possible, documentation may be included in the same patch as to code or separately.
The development model of btrfs-progs shares a lot with the kernel model. The
- one logical change per patch: e.g. not mixing bugfixes, cleanups, features etc., sometimes it's not clear and will be usually pointed out during reviews
- proper subject line: e.g. prefix with btrfs-progs: subpart, ... ,
descriptive yet not too long, see
git log --oneline
for some inspiration - proper changelog: the changelogs are often missing or lacking explanation why the change was made, or how is something broken, what are user-visible effects of the bug or the fix, how does an improvement help or the intended usecase
- the Signed-off-by line is not mandatory for less significant changes
(typos, documentation) but is desired as this documents who authored the
change, you can read more about the
The Developer's Certificate of Origin (chapter 11)
- if you are not used to the signed-off style, your contributions won't be rejected just because of it's missing, the Author: tag will be added as a substitute in order to allow contributions without much bothering with formalities
Pull requests
The pull requests on Github may be used for code or documentation contributions. There are basic build checks enabled in the Github actions CI for pull requests. The status can be checked at the workflow page.
- open a PR against branches devel or master
- push update to the same branch if you need to
- close the PR in case it's wrong, a mistake or needs rework
- if you're sure the changes don't need a CI build verification, please add
[skip ci]
to the changelog
Source code coding style and preferences follow the
kernel coding style.
You can find the editor settings in .editorconfig
and use the
EditorConfig plugin to let your editor use that,
or update your editor settings manually.
Testing
The documentation for writing and running tests can be found in tests/ and continuous integration/container images in ci/.
Development branches are tested by Github Action workflows.
Code coverage provided by codecov.io can be found here.
Documentation updates
Documentation fixes or updates do not need much explanation so sticking to the code rules in the previous section is not necessary. GitHub pull requests are OK, patches could be sent to me directly and not required to be also in the mailing list. Pointing out typos via IRC also works, although might get accidentally lost in the noise.
Documentation sources are written in RST and built by sphinx.
Third-party sources
Build dependencies are listed in INSTALL. Implementation of checksum/hash functions is provided by copies of the respective sources to avoid adding dependencies that would make deployments in rescue or limited environments harder. The implementations are portable and there are optimized versions for some architectures. Optionally it's possible to use libgcrypt, libsodium, libkcapi, Botan or OpenSSL implementations.
The builtin implementations uses the following sources: CRC32C, XXHASH, SHA256, BLAKE2.
Some other code is borrowed from kernel, eg. the raid5 tables or data structure implementation (list, rb-tree).