From: syzbot <syzbot+9833a1d29d4a44361e2c@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [syzbot] [PATCH] bcachefs: guard against invalid bits_per_field in bch2_bkey_format_invalid
Date: Wed, 08 May 2024 17:22:37 -0700 [thread overview]
Message-ID: <0000000000008daaac0617fa6a18@google.com> (raw)
In-Reply-To: <0000000000006a59f00617ecd989@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] bcachefs: guard against invalid bits_per_field in bch2_bkey_format_invalid
Author: cam.alvarez.i@gmail.com
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
A check for a valid value for bits_per_field is performed for each field before computing packed_max.
If bits_per_field is invalid for any field the whole format is deemed
invalid.
Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
---
fs/bcachefs/bcachefs_format.h | 8 ++++++++
fs/bcachefs/bkey.c | 17 +++++++++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h
index d5b90439e581..23eb04148724 100644
--- a/fs/bcachefs/bcachefs_format.h
+++ b/fs/bcachefs/bcachefs_format.h
@@ -318,6 +318,14 @@ enum bch_bkey_fields {
#define bkey_format_field(name, field) \
[BKEY_FIELD_##name] = (sizeof(((struct bkey *) NULL)->field) * 8)
+#define BCH_BKEY_FIELDS() \
+ x(INODE, p.inode) \
+ x(OFFSET, p.offset) \
+ x(SNAPSHOT, p.snapshot) \
+ x(SIZE, size) \
+ x(VERSION_HI, version.hi) \
+ x(VERSION_LO, version.lo)
+
#define BKEY_FORMAT_CURRENT \
((struct bkey_format) { \
.key_u64s = BKEY_U64s, \
diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..b6004b5f77e0 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -638,6 +638,13 @@ struct bkey_format bch2_bkey_format_done(struct bkey_format_state *s)
return ret;
}
+static unsigned bch2_max_bits_per_field[] = {
+#define x(name, field) \
+ bkey_format_field(name, field),
+ BCH_BKEY_FIELDS()
+#undef x
+};
+
int bch2_bkey_format_invalid(struct bch_fs *c,
struct bkey_format *f,
enum bkey_invalid_flags flags,
@@ -659,8 +666,14 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
if (!c || c->sb.version_min >= bcachefs_metadata_version_snapshot) {
unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
u64 unpacked_max = ~((~0ULL << 1) << (unpacked_bits - 1));
- u64 packed_max = f->bits_per_field[i]
- ? ~((~0ULL << 1) << (f->bits_per_field[i] - 1))
+ unsigned bits_per_field = f->bits_per_field[i];
+ if (bits_per_field > bch2_max_bits_per_field[i]) {
+ prt_printf(err, "field %u uses more bits than allowed: %u > %u",
+ i, bits_per_field, bch2_max_bits_per_field[i]);
+ return -BCH_ERR_invalid;
+ }
+ u64 packed_max = bits_per_field
+ ? ~((~0ULL << 1) << (bits_per_field - 1))
: 0;
u64 field_offset = le64_to_cpu(f->field_offset[i]);
--
2.34.1
prev parent reply other threads:[~2024-05-09 0:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-08 8:11 [syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in bch2_bkey_format_invalid syzbot
2024-05-09 0:22 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000008daaac0617fa6a18@google.com \
--to=syzbot+9833a1d29d4a44361e2c@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.