[PATCH] fix : slab-out-of-bounds Read in bch2_sb_members_v2_to_text

[PATCH] fix : slab-out-of-bounds Read in bch2_sb_members_v2_to_text

[Abhinav Ananthu]

BUG: KASAN: slab-out-of-bounds in members_v2_get fs/bcachefs/sb-members.c:68 [inline]
BUG: KASAN: slab-out-of-bounds in bch2_sb_members_v2_to_text+0x1ae/0x310 fs/bcachefs/sb-members.c:347

bcachefs: fix slab-out-of-bounds read in bch2_sb_members_v2_to_text

syzbot reported a slab-out-of-bounds read in bch2_sb_members_v2_to_text().
This function parses superblock member entries from a serialized array,
but did not properly validate the bounds of each entry before accessing it.

When the function iterated over v->entries[], it assumed each
bch_sb_field_members_v2_entry was fully contained within the buffer.
However, if the structure was truncated or malformed, this could lead to
reads beyond the end of the allocated slab, triggering memory safety bugs
under KASAN and potentially leading to undefined behavior.

This patch adds a bounds check to ensure the offset does not exceed the
total size of the entries buffer before accessing each entry. This
prevents out-of-bounds access and resolves the bug.

Reported-by: syzbot+5138f00559ffb3cb3610@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=<5138f00559ffb3cb3610>
Fixes: 1c8dfd7ba50dbbb72113caf4fa7868512cdad2f4("KASAN: slab-out-of-bounds Read in bch2_sb_members_v2_to_text")
Signed-off-by: Abhinav Ananthu <abhinav.ogl@gmail.com>
---
 fs/bcachefs/sb-members.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/bcachefs/sb-members.c b/fs/bcachefs/sb-members.c
index 77809ee23c45..9f137cf7d33e 100644
--- a/fs/bcachefs/sb-members.c
+++ b/fs/bcachefs/sb-members.c
@@ -64,6 +64,12 @@ struct bch_member *bch2_members_v2_get_mut(struct bch_sb *sb, int i)
 static struct bch_member members_v2_get(struct bch_sb_field_members_v2 *mi, int i)
 {
 	struct bch_member ret, *p = __bch2_members_v2_get_mut(mi, i);
+	size_t array_size = le32_to_cpu(mi->field.u64s)*8-16;
+	size_t member_bytes = le16_to_cpu(mi->member_bytes);
+	if (i < 0 || (member_bytes && i >= array_size / member_bytes)) {
+		memset(&ret, 0, sizeof(ret));
+		return ret;
+	}
 	memset(&ret, 0, sizeof(ret));
 	memcpy(&ret, p, min_t(size_t, le16_to_cpu(mi->member_bytes), sizeof(ret)));
 	return ret;
-- 
2.34.1

Re: [PATCH] fix : slab-out-of-bounds Read in bch2_sb_members_v2_to_text

[Kent Overstreet]

On Mon, Jun 09, 2025 at 01:26:14PM +0530, Abhinav Ananthu wrote:
> BUG: KASAN: slab-out-of-bounds in members_v2_get fs/bcachefs/sb-members.c:68 [inline]
> BUG: KASAN: slab-out-of-bounds in bch2_sb_members_v2_to_text+0x1ae/0x310 fs/bcachefs/sb-members.c:347
> 
> bcachefs: fix slab-out-of-bounds read in bch2_sb_members_v2_to_text
> 
> syzbot reported a slab-out-of-bounds read in bch2_sb_members_v2_to_text().
> This function parses superblock member entries from a serialized array,
> but did not properly validate the bounds of each entry before accessing it.
> 
> When the function iterated over v->entries[], it assumed each
> bch_sb_field_members_v2_entry was fully contained within the buffer.
> However, if the structure was truncated or malformed, this could lead to
> reads beyond the end of the allocated slab, triggering memory safety bugs
> under KASAN and potentially leading to undefined behavior.
> 
> This patch adds a bounds check to ensure the offset does not exceed the
> total size of the entries buffer before accessing each entry. This
> prevents out-of-bounds access and resolves the bug.
> 
> Reported-by: syzbot+5138f00559ffb3cb3610@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=<5138f00559ffb3cb3610>
> Fixes: 1c8dfd7ba50dbbb72113caf4fa7868512cdad2f4("KASAN: slab-out-of-bounds Read in bch2_sb_members_v2_to_text")
> Signed-off-by: Abhinav Ananthu <abhinav.ogl@gmail.com>

I already have a better fix:
commit 3811a2d49e0d27cb120a617d461b171a268fb029
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Sun Jun 8 11:31:23 2025 -0400

    bcachefs: Don't trust sb->nr_devices in members_to_text()
    
    We have to be able to print superblock sections even if they fail to
    validate (for debugging), so we have to calculate the number of entries
    from the field size.
    
    Reported-by: syzbot+5138f00559ffb3cb3610@syzkaller.appspotmail.com
    Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/sb-members.c b/fs/bcachefs/sb-members.c
index 363eb0c6eb7c..c673e76ca27f 100644
--- a/fs/bcachefs/sb-members.c
+++ b/fs/bcachefs/sb-members.c
@@ -325,9 +325,12 @@ static void bch2_sb_members_v1_to_text(struct printbuf *out, struct bch_sb *sb,
 {
 	struct bch_sb_field_members_v1 *mi = field_to_type(f, members_v1);
 	struct bch_sb_field_disk_groups *gi = bch2_sb_field_get(sb, disk_groups);
-	unsigned i;
+	int nr = (vstruct_end(&mi->field) - (void *) &gi->entries[0]) / sizeof(gi->entries[0]);
+
+	if (nr != sb->nr_devices)
+		prt_printf(out, "nr_devices mismatch: have %i entries, should be %u", nr, sb->nr_devices);
 
-	for (i = 0; i < sb->nr_devices; i++)
+	for (int i = 0; i < nr; i++)
 		member_to_text(out, members_v1_get(mi, i), gi, sb, i);
 }
 
@@ -341,9 +344,17 @@ static void bch2_sb_members_v2_to_text(struct printbuf *out, struct bch_sb *sb,
 {
 	struct bch_sb_field_members_v2 *mi = field_to_type(f, members_v2);
 	struct bch_sb_field_disk_groups *gi = bch2_sb_field_get(sb, disk_groups);
-	unsigned i;
+	int nr = (vstruct_end(&mi->field) - (void *) &gi->entries[0]) / le16_to_cpu(mi->member_bytes);
+
+	if (nr != sb->nr_devices)
+		prt_printf(out, "nr_devices mismatch: have %i entries, should be %u", nr, sb->nr_devices);
+
+	/*
+	 * We call to_text() on superblock sections that haven't passed
+	 * validate, so we can't trust sb->nr_devices.
+	 */
 
-	for (i = 0; i < sb->nr_devices; i++)
+	for (int i = 0; i < nr; i++)
 		member_to_text(out, members_v2_get(mi, i), gi, sb, i);
 }