[PATCH] bcachefs: Fix journal_entry_dev_usage_to_text() overrun

Kent Overstreet Mon, 11 Nov 2024 13:30:38 -0800

If the jset_entry_dev_usage is malformed, and too small, our nr_entries
calculation will be incorrect - just bail out.


Reported-by: syzbot+05d7520be047c9be8...@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstr...@linux.dev>
---
 fs/bcachefs/journal_io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/bcachefs/journal_io.c b/fs/bcachefs/journal_io.c
index 667a2bb9e20b..768a3b950997 100644
--- a/fs/bcachefs/journal_io.c
+++ b/fs/bcachefs/journal_io.c
@@ -711,6 +711,9 @@ static void journal_entry_dev_usage_to_text(struct printbuf 
*out, struct bch_fs
                container_of(entry, struct jset_entry_dev_usage, entry);
        unsigned i, nr_types = jset_entry_dev_usage_nr_types(u);
 
+       if (vstruct_bytes(entry) < sizeof(*u))
+               return;
+
        prt_printf(out, "dev=%u", le32_to_cpu(u->dev));
 
        printbuf_indent_add(out, 2);
-- 
2.45.2

[PATCH] bcachefs: Fix journal_entry_dev_usage_to_text() overrun

Reply via email to