MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

bcachefs: Don't trust sb->nr_devices in members_to_text()

Browse Source 
We have to be able to print superblock sections even if they fail to
validate (for debugging), so we have to calculate the number of entries
from the field size.

Reported-by: syzbot+5138f00559ffb3cb3610@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
This commit is contained in:
Kent Overstreet 2025-06-08 11:31:23 -04:00
parent 625c494db9
commit 205da7c026
1 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
fs/bcachefs/sb-members.c
View File

@ -325,9 +325,17 @@ static void bch2_sb_members_v1_to_text(struct printbuf *out, struct bch_sb *sb,
{
struct bch_sb_field_members_v1 *mi = field_to_type(f, members_v1);
struct bch_sb_field_disk_groups *gi = bch2_sb_field_get(sb, disk_groups);
unsigned i;
for (i = 0; i < sb->nr_devices; i++)
if (vstruct_end(&mi->field) <= (void *) &mi->_members[0]) {
prt_printf(out, "field ends before start of entries");
return;
}
unsigned nr = (vstruct_end(&mi->field) - (void *) &mi->_members[0]) / sizeof(mi->_members[0]);
if (nr != sb->nr_devices)
prt_printf(out, "nr_devices mismatch: have %i entries, should be %u", nr, sb->nr_devices);
for (unsigned i = 0; i < min(sb->nr_devices, nr); i++)
member_to_text(out, members_v1_get(mi, i), gi, sb, i);
}
@ -341,9 +349,27 @@ static void bch2_sb_members_v2_to_text(struct printbuf *out, struct bch_sb *sb,
{
struct bch_sb_field_members_v2 *mi = field_to_type(f, members_v2);
struct bch_sb_field_disk_groups *gi = bch2_sb_field_get(sb, disk_groups);
unsigned i;
for (i = 0; i < sb->nr_devices; i++)
if (vstruct_end(&mi->field) <= (void *) &mi->_members[0]) {
prt_printf(out, "field ends before start of entries");
return;
}
if (!le16_to_cpu(mi->member_bytes)) {
prt_printf(out, "member_bytes 0");
return;
}
unsigned nr = (vstruct_end(&mi->field) - (void *) &mi->_members[0]) / le16_to_cpu(mi->member_bytes);
if (nr != sb->nr_devices)
prt_printf(out, "nr_devices mismatch: have %i entries, should be %u", nr, sb->nr_devices);
/*
* We call to_text() on superblock sections that haven't passed
* validate, so we can't trust sb->nr_devices.
*/
for (unsigned i = 0; i < min(sb->nr_devices, nr); i++)
member_to_text(out, members_v2_get(mi, i), gi, sb, i);
}