bcachefs: Check for journal entries overruning end of sb clean section

Fix a missing bounds check in superblock validation.

Note that we don't yet have repair code for this case - repair code for
individual items is generally low priority, since the whole superblock
is checksummed, validated prior to write, and we have backups.

Reported-by: lei lu <llfamsec@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
This commit is contained in:
Kent Overstreet 2024-04-17 15:19:50 -04:00
parent 0389c09b2f
commit fcdbc1d7a4
2 changed files with 10 additions and 1 deletions

View File

@ -29,6 +29,14 @@ int bch2_sb_clean_validate_late(struct bch_fs *c, struct bch_sb_field_clean *cle
for (entry = clean->start; for (entry = clean->start;
entry < (struct jset_entry *) vstruct_end(&clean->field); entry < (struct jset_entry *) vstruct_end(&clean->field);
entry = vstruct_next(entry)) { entry = vstruct_next(entry)) {
if (vstruct_end(entry) > vstruct_end(&clean->field)) {
bch_err(c, "journal entry (u64s %u) overran end of superblock clean section (u64s %u) by %zu",
le16_to_cpu(entry->u64s), le32_to_cpu(clean->field.u64s),
(u64 *) vstruct_end(entry) - (u64 *) vstruct_end(&clean->field));
bch2_sb_error_count(c, BCH_FSCK_ERR_sb_clean_entry_overrun);
return -BCH_ERR_fsck_repair_unimplemented;
}
ret = bch2_journal_entry_validate(c, NULL, entry, ret = bch2_journal_entry_validate(c, NULL, entry,
le16_to_cpu(c->disk_sb.sb->version), le16_to_cpu(c->disk_sb.sb->version),
BCH_SB_BIG_ENDIAN(c->disk_sb.sb), BCH_SB_BIG_ENDIAN(c->disk_sb.sb),

View File

@ -271,7 +271,8 @@
x(btree_root_unreadable_and_scan_found_nothing, 263) \ x(btree_root_unreadable_and_scan_found_nothing, 263) \
x(snapshot_node_missing, 264) \ x(snapshot_node_missing, 264) \
x(dup_backpointer_to_bad_csum_extent, 265) \ x(dup_backpointer_to_bad_csum_extent, 265) \
x(btree_bitmap_not_marked, 266) x(btree_bitmap_not_marked, 266) \
x(sb_clean_entry_overrun, 267)
enum bch_sb_error_id { enum bch_sb_error_id {
#define x(t, n) BCH_FSCK_ERR_##t = n, #define x(t, n) BCH_FSCK_ERR_##t = n,