[PATCH] bcachefs: guard against invalid bits_per_field in bch2_bkey_format_invalid

[Camila Alvarez]

A check for a valid value for bits_per_field is performed for each field before 
computing packed_max.
If bits_per_field is invalid for any field the whole format is deemed
invalid.

Reported-by: syzbot+9833a1d29d4a44361...@syzkaller.appspotmail.com
Signed-off-by: Camila Alvarez <cam.alvare...@gmail.com>
---
 fs/bcachefs/bcachefs_format.h |  8 ++++++++
 fs/bcachefs/bkey.c            | 18 ++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h
index d5b90439e581..9e688a8d780f 100644
--- a/fs/bcachefs/bcachefs_format.h
+++ b/fs/bcachefs/bcachefs_format.h
@@ -318,6 +318,14 @@ enum bch_bkey_fields {
 #define bkey_format_field(name, field)                                 \
        [BKEY_FIELD_##name] = (sizeof(((struct bkey *) NULL)->field) * 8)
 
+#define BCH_BKEY_FIELDS()                                              \
+       x(INODE,        p.inode)                                        \
+       x(OFFSET,       p.offset)                                       \
+       x(SNAPSHOT,     p.snapshot)                                     \
+       x(SIZE,         size)                                           \
+       x(VERSION_HI,   version.hi)                                     \
+       x(VERSION_LO,   version.lo)     
+
 #define BKEY_FORMAT_CURRENT                                            \
 ((struct bkey_format) {                                                        
\
        .key_u64s       = BKEY_U64s,                                    \
diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..f7847c96a105 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -638,6 +638,13 @@ struct bkey_format bch2_bkey_format_done(struct 
bkey_format_state *s)
        return ret;
 }
 
+static unsigned bch2_max_bits_per_field[] = {
+#define x(name, field) \
+       bkey_format_field(name, field),
+       BCH_BKEY_FIELDS()
+#undef x
+};
+
 int bch2_bkey_format_invalid(struct bch_fs *c,
                             struct bkey_format *f,
                             enum bkey_invalid_flags flags,
@@ -659,8 +666,15 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
                if (!c || c->sb.version_min >= 
bcachefs_metadata_version_snapshot) {
                        unsigned unpacked_bits = 
bch2_bkey_format_current.bits_per_field[i];
                        u64 unpacked_max = ~((~0ULL << 1) << (unpacked_bits - 
1));
-                       u64 packed_max = f->bits_per_field[i]
-                               ? ~((~0ULL << 1) << (f->bits_per_field[i] - 1))
+                       unsigned bits_per_field = f->bits_per_field[i];
+
+                       if (bits_per_field > bch2_max_bits_per_field[i]) {
+                               prt_printf(err, "field %u uses more bits than 
allowed: %u > %u",
+                                               i, bits_per_field, 
bch2_max_bits_per_field[i]);
+                               return -BCH_ERR_invalid;
+                       }
+                       u64 packed_max = bits_per_field
+                               ? ~((~0ULL << 1) << (bits_per_field - 1))
                                : 0;
                        u64 field_offset = le64_to_cpu(f->field_offset[i]);
 
-- 
2.34.1