lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0000000000008daaac0617fa6a18@google.com>
Date: Wed, 08 May 2024 17:22:37 -0700
From: syzbot <syzbot+9833a1d29d4a44361e2c@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org
Subject: Re: [syzbot] [PATCH] bcachefs: guard against invalid bits_per_field
 in bch2_bkey_format_invalid

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: [PATCH] bcachefs: guard against invalid bits_per_field in bch2_bkey_format_invalid
Author: cam.alvarez.i@...il.com

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
A check for a valid value for bits_per_field is performed for each field before computing packed_max.
If bits_per_field is invalid for any field the whole format is deemed
invalid.

Signed-off-by: Camila Alvarez <cam.alvarez.i@...il.com>
---
 fs/bcachefs/bcachefs_format.h |  8 ++++++++
 fs/bcachefs/bkey.c            | 17 +++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h
index d5b90439e581..23eb04148724 100644
--- a/fs/bcachefs/bcachefs_format.h
+++ b/fs/bcachefs/bcachefs_format.h
@@ -318,6 +318,14 @@ enum bch_bkey_fields {
 #define bkey_format_field(name, field)					\
 	[BKEY_FIELD_##name] = (sizeof(((struct bkey *) NULL)->field) * 8)
 
+#define BCH_BKEY_FIELDS()						\
+	x(INODE,        p.inode)					\
+	x(OFFSET,       p.offset)					\
+	x(SNAPSHOT,     p.snapshot)					\
+	x(SIZE,         size)						\
+	x(VERSION_HI,   version.hi)					\
+	x(VERSION_LO,   version.lo)					
+
 #define BKEY_FORMAT_CURRENT						\
 ((struct bkey_format) {							\
 	.key_u64s	= BKEY_U64s,					\
diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..b6004b5f77e0 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -638,6 +638,13 @@ struct bkey_format bch2_bkey_format_done(struct bkey_format_state *s)
 	return ret;
 }
 
+static unsigned bch2_max_bits_per_field[] = {
+#define x(name, field) \
+	bkey_format_field(name, field),
+	BCH_BKEY_FIELDS()
+#undef x
+};
+
 int bch2_bkey_format_invalid(struct bch_fs *c,
 			     struct bkey_format *f,
 			     enum bkey_invalid_flags flags,
@@ -659,8 +666,14 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
 		if (!c || c->sb.version_min >= bcachefs_metadata_version_snapshot) {
 			unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
 			u64 unpacked_max = ~((~0ULL << 1) << (unpacked_bits - 1));
-			u64 packed_max = f->bits_per_field[i]
-				? ~((~0ULL << 1) << (f->bits_per_field[i] - 1))
+			unsigned bits_per_field = f->bits_per_field[i];
+			if (bits_per_field > bch2_max_bits_per_field[i]) {
+				prt_printf(err, "field %u uses more bits than allowed: %u > %u",
+						i, bits_per_field, bch2_max_bits_per_field[i]);
+				return -BCH_ERR_invalid;
+			}
+			u64 packed_max = bits_per_field
+				? ~((~0ULL << 1) << (bits_per_field - 1))
 				: 0;
 			u64 field_offset = le64_to_cpu(f->field_offset[i]);
 
-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ