lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <epfc24ypenk5tnps6o53sjchdgup7ix4hg5aosege6orodavab@4diqwzz6v7wm>
Date: Thu, 4 Dec 2025 14:03:18 -0500
From: Kent Overstreet <kent.overstreet@...ux.dev>
To: Mikhail Dmitrichenko <mdmitrichenko@...ralinux.ru>
Cc: linux-bcachefs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	lvc-project@...uxtesting.org
Subject: Re: [PATCH] bcachefs: fix potential NULL deref in
 bch2_sb_members_v2_init

On Tue, Dec 02, 2025 at 08:20:46PM +0300, Mikhail Dmitrichenko wrote:
> bch2_sb_members_v2_init calls bch2_sb_field_resize to allocate the
> members_v2 superblock field, but does not check the returned pointer
> before dereferencing it. bch2_sb_field_resize may return NULL if
> superblock reallocation fails. In this case dereferencing mi2=NULL
> will cause crash during superblock upgrade from members_v1 to members_v2.
> 
> Add check for bch2_sb_field_resize call result for NULL.
> sb_members_v2_resize_entries function already has such check and returns
> error in this case. Make bch2_sb_members_v2_init() consistent and return
> the same error.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 3f7b9713dae0 ("bcachefs: New superblock section members_v2")
> Signed-off-by: Mikhail Dmitrichenko <mdmitrichenko@...ralinux.ru>

Thanks! Applied.

> ---
>  fs/bcachefs/sb/members.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/bcachefs/sb/members.c b/fs/bcachefs/sb/members.c
> index 8bf8f5ca3470..a610426b6013 100644
> --- a/fs/bcachefs/sb/members.c
> +++ b/fs/bcachefs/sb/members.c
> @@ -116,6 +116,9 @@ int bch2_sb_members_v2_init(struct bch_fs *c)
>  				DIV_ROUND_UP(sizeof(*mi2) +
>  					     sizeof(struct bch_member) * c->sb.nr_devices,
>  					     sizeof(u64)));
> +		if (!mi2)
> +			return bch_err_throw(c, ENOSPC_sb_members_v2);
> +
>  		mi1 = bch2_sb_field_get(c->disk_sb.sb, members_v1);
>  		memcpy(&mi2->_members[0], &mi1->_members[0],
>  		       BCH_MEMBER_V1_BYTES * c->sb.nr_devices);
> -- 
> 2.39.2
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ