| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_816D842DE96C309554E8E2ED9ACC6078120A@qq.com>
Date: Tue, 7 May 2024 17:19:29 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+c48865e11e7e893ec4ab@...kaller.appspotmail.com
Cc: bfoster@...hat.com,
kent.overstreet@...ux.dev,
linux-bcachefs@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: [PATCH] bcachefs: fix oob in bch2_sb_clean_to_text
When got too small clean field, entry will never equal vstruct_end(&clean->field),
the dead loop resulted in out of bounds access.
Fixes: 12bf93a429c9 ("bcachefs: Add .to_text() methods for all superblock sections")
Fixes: a37ad1a3aba9 ("bcachefs: sb-clean.c")
Reported-and-tested-by: syzbot+c48865e11e7e893ec4ab@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
fs/bcachefs/sb-clean.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/bcachefs/sb-clean.c b/fs/bcachefs/sb-clean.c
index 5980ba2563fe..02101687853e 100644
--- a/fs/bcachefs/sb-clean.c
+++ b/fs/bcachefs/sb-clean.c
@@ -285,7 +285,7 @@ static void bch2_sb_clean_to_text(struct printbuf *out, struct bch_sb *sb,
prt_newline(out);
for (entry = clean->start;
- entry != vstruct_end(&clean->field);
+ entry < vstruct_end(&clean->field);
entry = vstruct_next(entry)) {
if (entry->type == BCH_JSET_ENTRY_btree_keys &&
!entry->u64s)
--
2.43.0
Powered by blists - more mailing lists