[PATCH V2] bcachefs: Add checks for entry's _data bytes

Edward Adam Davis Tue, 30 Jul 2024 18:36:10 -0700

syzbot report slab-out-of-bounds in journal_entry_dev_usage_to_text,
it because vstruct_bytes(entry) smaller than sizeof(struct
jset_entry_dev_usage), overflow occurs when calculating the difference in
jset_entry_dev_usage_nr_types(u).


Reported-by: syzbot+05d7520be047c9be8...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eada...@qq.com>
---
 fs/bcachefs/bcachefs_format.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h
index e3b1bde489c3..d536da101e89 100644
--- a/fs/bcachefs/bcachefs_format.h
+++ b/fs/bcachefs/bcachefs_format.h
@@ -1252,6 +1252,11 @@ struct jset_entry_dev_usage {
 
 static inline unsigned jset_entry_dev_usage_nr_types(struct 
jset_entry_dev_usage *u)
 {
+       if (vstruct_bytes(&u->entry) < sizeof(struct jset_entry_dev_usage)) {
+               pr_info("entry data bytes %u is too small", 
vstruct_bytes(&u->entry));
+               return 0;
+       }
+
        return (vstruct_bytes(&u->entry) - sizeof(struct jset_entry_dev_usage)) 
/
                sizeof(struct jset_entry_dev_usage_type);
 }
-- 
2.43.0

[PATCH V2] bcachefs: Add checks for entry's _data bytes

Reply via email to