Re: [PATCH v3] bcachefs: Fix shift-out-of-bounds in bch2_stripe_to_text

Wed, 09 Oct 2024 19:04:17 -0700 

On Wed, Oct 09, 2024 at 10:07:55PM GMT, Zhao Mengmeng wrote:
> From: Zhao Mengmeng <[email protected]>
> 
> syzbot report a shift-out-of-bounds issue:
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in fs/bcachefs/ec.c:147:2
> shift exponent 108 is too large for 32-bit type 'unsigned int'
> ----
> Here s.csum_granularity_bits = 108, so shift is impossible for unsigned
> int. To fix, add a check in bch2_stripe_validate() to bail out, it has
> same checking logic with ec_stripe_key_init().
> 
> Reported-by: [email protected]
> Tested-by: [email protected]
> Closes: https://syzkaller.appspot.com/bug?extid=f8c98a50c323635be65d
> Suggested-by: Hongbo Li <[email protected]>
> Signed-off-by: Zhao Mengmeng <[email protected]>
> ---
>  fs/bcachefs/ec.c      | 6 ++++++
>  fs/bcachefs/errcode.h | 4 +++-
>  2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/bcachefs/ec.c b/fs/bcachefs/ec.c
> index 564841e5a24b..f6a02123144d 100644
> --- a/fs/bcachefs/ec.c
> +++ b/fs/bcachefs/ec.c
> @@ -114,6 +114,12 @@ int bch2_stripe_validate(struct bch_fs *c, struct 
> bkey_s_c k,
>       const struct bch_stripe *s = bkey_s_c_to_stripe(k).v;
>       int ret = 0;
>  
> +     if (s->csum_granularity_bits >= ilog2(le16_to_cpu(s->sectors))) {
> +             bch_err_ratelimited(c, "stripe csum gran bits %u too big",
> +                                 s->csum_granularity_bits);
> +             return -BCH_ERR_stripe_csum_granularity_bits_too_big;
> +     }
> +

that should be a bkey_fsck_err_on(), and you'll add to the enum in
sb-errors_format.h

>       bkey_fsck_err_on(bkey_eq(k.k->p, POS_MIN) ||
>                        bpos_gt(k.k->p, POS(0, U32_MAX)),
>                        c, stripe_pos_bad,
> diff --git a/fs/bcachefs/errcode.h b/fs/bcachefs/errcode.h
> index 26990ad584d5..83659cdb93c8 100644
> --- a/fs/bcachefs/errcode.h
> +++ b/fs/bcachefs/errcode.h
> @@ -270,7 +270,9 @@
>       x(BCH_ERR_nopromote,            nopromote_enomem)                       
> \
>       x(0,                            invalid_snapshot_node)                  
> \
>       x(0,                            option_needs_open_fs)                   
> \
> -     x(0,                            remove_disk_accounting_entry)
> +     x(0,                            remove_disk_accounting_entry)           
> \
> +     x(EINVAL,                       stripe_csum_granularity_bits_too_big)
> +
>  
>  enum bch_errcode {
>       BCH_ERR_START           = 2048,
> -- 
> 2.43.0
>

Reply via email to