summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDiogo Jahchan Koike <djahchankoike@gmail.com>2024-09-24 00:22:14 +0200
committerKent Overstreet <kent.overstreet@linux.dev>2024-09-28 03:46:34 +0200
commit40d40c6bea19ff1e40fb3d33b35b354a5b35025f (patch)
tree050d4f42f67bbf5b50c3f6ea952113419958ff8b
parentbcachefs: Fix srcu warning in check_topology (diff)
downloadlinux-40d40c6bea19ff1e40fb3d33b35b354a5b35025f.tar.xz
linux-40d40c6bea19ff1e40fb3d33b35b354a5b35025f.zip
bcachefs: assign return error when iterating through layout
syzbot reported a null ptr deref in __copy_user [0] In __bch2_read_super, when a corrupt backup superblock matches the default opts offset, no error is assigned to ret and the freed superblock gets through, possibly being assigned as the best sb in bch2_fs_open and being later dereferenced, causing a fault. Assign EINVALID to ret when iterating through layout. [0]: https://syzkaller.appspot.com/bug?extid=18a5c5e8a9c856944876 Reported-by: syzbot+18a5c5e8a9c856944876@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=18a5c5e8a9c856944876 Signed-off-by: Diogo Jahchan Koike <djahchankoike@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
-rw-r--r--fs/bcachefs/super-io.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/bcachefs/super-io.c b/fs/bcachefs/super-io.c
index d86d5dae54c9..b2e914841b5f 100644
--- a/fs/bcachefs/super-io.c
+++ b/fs/bcachefs/super-io.c
@@ -799,8 +799,10 @@ retry:
i < layout.sb_offset + layout.nr_superblocks; i++) {
offset = le64_to_cpu(*i);
- if (offset == opt_get(*opts, sb))
+ if (offset == opt_get(*opts, sb)) {
+ ret = -BCH_ERR_invalid;
continue;
+ }
ret = read_one_super(sb, offset, &err);
if (!ret)