Commit 2045fc42 authored Oct 23, 2024 by Gianfranco Trad Committed by Kent Overstreet Oct 24, 2024

bcachefs: Fix invalid shift in validate_sb_layout()

Add check on layout->sb_max_size_bits against BCH_SB_LAYOUT_SIZE_BITS_MAX
to prevent UBSAN shift-out-of-bounds in validate_sb_layout().

Reported-by: <syzbot+089fad5a3a5e77825426@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=089fad5a3a5e77825426

Fixes: 03ef80b4 ("bcachefs: Ignore unknown mount options")
Tested-by: <syzbot+089fad5a3a5e77825426@syzkaller.appspotmail.com>
Signed-off-by: Gianfranco Trad <gianf.trad@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

parent a069f014

fs/bcachefs/errcode.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -222,6 +222,7 @@
		x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_type) \
		x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_nr_superblocks) \
		x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_superblocks_overlap) \
		x(BCH_ERR_invalid_sb_layout, invalid_sb_layout_sb_max_size_bits) \
		x(BCH_ERR_invalid_sb, invalid_sb_members_missing) \
		x(BCH_ERR_invalid_sb, invalid_sb_members) \
		x(BCH_ERR_invalid_sb, invalid_sb_disk_groups) \

fs/bcachefs/super-io.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -287,6 +287,11 @@ static int validate_sb_layout(struct bch_sb_layout layout, struct printbuf out
		return -BCH_ERR_invalid_sb_layout_nr_superblocks;
		}

		if (layout->sb_max_size_bits > BCH_SB_LAYOUT_SIZE_BITS_MAX) {
		prt_printf(out, "Invalid superblock layout: max_size_bits too high");
		return -BCH_ERR_invalid_sb_layout_sb_max_size_bits;
		}

		max_sectors = 1 << layout->sb_max_size_bits;

		prev_offset = le64_to_cpu(layout->sb_offset[0]);