lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <696095ab.050a0220.1c677c.03b4.GAE@google.com>
Date: Thu, 08 Jan 2026 21:44:11 -0800
From: syzbot <syzbot+b4a2af3000eaa84d95d5@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] btrfs: validate block device block size before
 reading superblock

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] btrfs: validate block device block size before reading superblock
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When mounting a block device with a block size larger than PAGE_SIZE,
the buffer head allocation in folio_alloc_buffers() returns NULL because
the allocation loop never executes when blocksize > folio_size. This
leads to a NULL pointer dereference in create_empty_buffers() when
accessing bh->b_state.

The crash was triggered by syzbot mounting a null_blk device as btrfs,
where the block device had a block size exceeding PAGE_SIZE.

Add validation in btrfs_read_disk_super() to reject block devices with
block sizes larger than PAGE_SIZE before attempting to read the
superblock.

Reported-by: syzbot+b4a2af3000eaa84d95d5@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b4a2af3000eaa84d95d5
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/btrfs/volumes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 13c514684cfb..d79e2a19c046 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1341,6 +1341,9 @@ struct btrfs_super_block *btrfs_read_disk_super(struct block_device *bdev,
 	struct address_space *mapping = bdev->bd_mapping;
 	int ret;
 
+	if (!mapping->host ||
+	    (1 << mapping->host->i_blkbits) > PAGE_SIZE)
+		return ERR_PTR(-EINVAL);
 	bytenr_orig = btrfs_sb_offset(copy_num);
 	ret = btrfs_sb_log_location_bdev(bdev, copy_num, READ, &bytenr);
 	if (ret < 0) {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ