bcachefs: Fix an out of bounds read

bch2_varint_decode() can read up to 7 bytes past the end of the buffer, which means we need to allocate slightly larger key cache buffers. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: Fix an out of bounds read
bch2_varint_decode() can read up to 7 bytes past the end of the buffer, which means we need to allocate slightly larger key cache buffers. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bc2e5d5c · Kent Overstreet · Kent Overstreet · 65c0601a · bc2e5d5c · bc2e5d5c
Commit bc2e5d5c authored Apr 24, 2021 by Kent Overstreet Committed by Kent Overstreet Oct 22, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

fs/bcachefs/btree_key_cache.c fs/bcachefs/btree_key_cache.c +8 -2

fs/bcachefs/btree_update_leaf.c fs/bcachefs/btree_update_leaf.c +6 -0

No files found.
--- a/fs/bcachefs/btree_key_cache.c
+++ b/fs/bcachefs/btree_key_cache.c
@@ -219,8 +219,14 @@ static int btree_key_cache_fill(struct btree_trans *trans,
 		goto err;
 	}
-	if (k.k->u64s > ck->u64s) {
+	/*
-		new_u64s = roundup_pow_of_two(k.k->u64s);
+	 * bch2_varint_decode can read past the end of the buffer by at
+	 * most 7 bytes (it won't be used):
+	 */
+	new_u64s = k.k->u64s + 1;
+	if (new_u64s > ck->u64s) {
+		new_u64s = roundup_pow_of_two(new_u64s);
 		new_k = kmalloc(new_u64s * sizeof(u64), GFP_NOFS);
 		if (!new_k) {
 			ret = -ENOMEM;

--- a/fs/bcachefs/btree_update_leaf.c
+++ b/fs/bcachefs/btree_update_leaf.c
@@ -293,6 +293,12 @@ btree_key_can_insert_cached(struct btree_trans *trans,
 	    !(trans->flags & BTREE_INSERT_JOURNAL_RECLAIM))
 		return BTREE_INSERT_NEED_JOURNAL_RECLAIM;
+	/*
+	 * bch2_varint_decode can read past the end of the buffer by at most 7
+	 * bytes (it won't be used):
+	 */
+	u64s += 1;
 	if (u64s <= ck->u64s)
 		return BTREE_INSERT_OK;