From: Gianfranco Trad <gianf.trad@gmail.com>
To: syzbot <syzbot+089fad5a3a5e77825426@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in validate_sb_layout
Date: Wed, 23 Oct 2024 23:08:30 +0200 [thread overview]
Message-ID: <f605e8cd-2229-45d0-88c7-3dcae7eaa9e1@gmail.com> (raw)
In-Reply-To: <671955c2.050a0220.1e4b4d.0095.GAE@google.com>
[-- Attachment #1: Type: text/plain, Size: 9 bytes --]
#syz test
[-- Attachment #2: 0001-bcachefs-Fix-invalid-shift-in-validate_sb_layout.patch --]
[-- Type: text/x-patch, Size: 1632 bytes --]
From c6d6215d66e9bd3d10a11a8b940246fda0494f30 Mon Sep 17 00:00:00 2001
From: Gianfranco Trad <gianf.trad@gmail.com>
Date: Wed, 23 Oct 2024 23:01:11 +0200
Subject: [PATCH] bcachefs: Fix invalid shift in validate_sb_layout()
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
---
fs/bcachefs/errcode.h | 1 +
fs/bcachefs/super-io.c | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/fs/bcachefs/errcode.h b/fs/bcachefs/errcode.h
index 649263516ab1..b6cbd716000b 100644
--- a/fs/bcachefs/errcode.h
+++ b/fs/bcachefs/errcode.h
@@ -222,6 +222,7 @@
x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_type) \
x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_nr_superblocks) \
x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_superblocks_overlap) \
+ x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_sb_max_size_bits) \
x(BCH_ERR_invalid_sb, invalid_sb_members_missing) \
x(BCH_ERR_invalid_sb, invalid_sb_members) \
x(BCH_ERR_invalid_sb, invalid_sb_disk_groups) \
diff --git a/fs/bcachefs/super-io.c b/fs/bcachefs/super-io.c
index ce7410d72089..44d0ac9b00dd 100644
--- a/fs/bcachefs/super-io.c
+++ b/fs/bcachefs/super-io.c
@@ -287,6 +287,11 @@ static int validate_sb_layout(struct bch_sb_layout *layout, struct printbuf *out
return -BCH_ERR_invalid_sb_layout_nr_superblocks;
}
+ if (layout->sb_max_size_bits > BCH_SB_LAYOUT_SIZE_BITS_MAX) {
+ prt_printf(out, "Invalid superblock layout: max_size_bits too high");
+ return -BCH_ERR_invalid_sb_layout_sb_max_size_bits;
+ }
+
max_sectors = 1 << layout->sb_max_size_bits;
prev_offset = le64_to_cpu(layout->sb_offset[0]);
--
2.43.0
next prev parent reply other threads:[~2024-10-23 21:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <32ac6a1f-4427-4ffc-8b18-d4942be5b751@gmail.com>
2024-10-23 20:00 ` [syzbot] [bcachefs?] UBSAN: shift-out-of-bounds in validate_sb_layout syzbot
2024-10-23 20:47 ` Gianfranco Trad
2024-10-23 21:13 ` syzbot
2024-10-23 21:08 ` Gianfranco Trad [this message]
2024-10-23 21:31 ` syzbot
2024-10-23 14:27 syzbot
2024-10-23 21:16 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f605e8cd-2229-45d0-88c7-3dcae7eaa9e1@gmail.com \
--to=gianf.trad@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+089fad5a3a5e77825426@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox