lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241031231823.688918-2-pZ010001011111@proton.me>
Date: Thu, 31 Oct 2024 23:22:17 +0000
From: Piotr Zalewski <pZ010001011111@...ton.me>
To: kent.overstreet@...ux.dev, linux-bcachefs@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: skhan@...uxfoundation.org, Piotr Zalewski <pZ010001011111@...ton.me>, syzbot+bee87a0c3291c06aa8c6@...kaller.appspotmail.com
Subject: [PATCH] Fix wrong max check in bch2_opt_validate

Use opt->max-1 in bch2_opt_validate when option type is BCH_OPT_STR. When
option type is BCH_OPT_STR, real option's max is one less than the max
value stored in option structure.

Reported-by: syzbot+bee87a0c3291c06aa8c6@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bee87a0c3291c06aa8c6
Fixes: 63c4b2545382 ("bcachefs: Better superblock opt validation")
Signed-off-by: Piotr Zalewski <pZ010001011111@...ton.me>
---
 fs/bcachefs/opts.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/bcachefs/opts.c b/fs/bcachefs/opts.c
index 83f55cf99d46..bffcbe6a6fd0 100644
--- a/fs/bcachefs/opts.c
+++ b/fs/bcachefs/opts.c
@@ -290,6 +290,8 @@ static int bch2_mount_opt_lookup(const char *name)
 
 int bch2_opt_validate(const struct bch_option *opt, u64 v, struct printbuf *err)
 {
+	const u64 opt_max = opt->type == BCH_OPT_STR ? opt->max - 1 : opt->max;
+
 	if (v < opt->min) {
 		if (err)
 			prt_printf(err, "%s: too small (min %llu)",
@@ -297,10 +299,10 @@ int bch2_opt_validate(const struct bch_option *opt, u64 v, struct printbuf *err)
 		return -BCH_ERR_ERANGE_option_too_small;
 	}
 
-	if (opt->max && v >= opt->max) {
+	if (opt->max && v >= opt_max) {
 		if (err)
 			prt_printf(err, "%s: too big (max %llu)",
-			       opt->attr.name, opt->max);
+			       opt->attr.name, opt_max);
 		return -BCH_ERR_ERANGE_option_too_big;
 	}
 
-- 
2.47.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ