iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bcachefs: Fix an out of bounds read

Browse Source 
bch2_varint_decode() can read up to 7 bytes past the end of the buffer,
which means we need to allocate slightly larger key cache buffers.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
This commit is contained in:
Kent Overstreet 2021-04-24 00:42:02 -04:00 committed by Kent Overstreet
parent 65c0601a32
commit bc2e5d5c66
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
fs/bcachefs/btree_key_cache.c
View File

@ -219,8 +219,14 @@ static int btree_key_cache_fill(struct btree_trans *trans,
goto err;
}
if (k.k->u64s > ck->u64s) {
new_u64s = roundup_pow_of_two(k.k->u64s);
/*
* bch2_varint_decode can read past the end of the buffer by at
* most 7 bytes (it won't be used):
*/
new_u64s = k.k->u64s + 1;
if (new_u64s > ck->u64s) {
new_u64s = roundup_pow_of_two(new_u64s);
new_k = kmalloc(new_u64s * sizeof(u64), GFP_NOFS);
if (!new_k) {
ret = -ENOMEM;

6
fs/bcachefs/btree_update_leaf.c
View File

@ -293,6 +293,12 @@ btree_key_can_insert_cached(struct btree_trans *trans,
!(trans->flags & BTREE_INSERT_JOURNAL_RECLAIM))
return BTREE_INSERT_NEED_JOURNAL_RECLAIM;
/*
* bch2_varint_decode can read past the end of the buffer by at most 7
* bytes (it won't be used):
*/
u64s += 1;
if (u64s <= ck->u64s)
return BTREE_INSERT_OK;