Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp59754lqo;
        Thu, 9 May 2024 12:32:38 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVZkdi/++05HzO9RN0wPuMblmMB/vcsepL4FaNeMn0XUTxqAwCTPCAlo/F9/qX8VldCtjWos1KUiimf8oKyRguQ7K4qQ7+ZSMCtCX+lIw==
X-Google-Smtp-Source: AGHT+IFSHDnU0U3gjsWOatUKqVlkndN+x2xYiuhEpf2rNQ2Nhpy7wMvk+leJiAifAl4K7gOeTDoF
X-Received: by 2002:a17:906:f592:b0:a5a:1562:518d with SMTP id a640c23a62f3a-a5a2d53b998mr47477266b.14.1715283157765;
        Thu, 09 May 2024 12:32:37 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715283157; cv=pass;
        d=google.com; s=arc-20160816;
        b=vm9vLq3N4EItiLKsTw3/dIuvdt4gd+T0HSveZQ9KJjYtWj35ex2HqcnQY0T5bLC+sZ
         8tpnAIe+n9xt+MEAajoajkhUgAnDJES/aniNWvnOd3G2IbdPCus3IlptAK7ifoqdci6n
         DejQau00JQRiZpHHFBFtpgWdvJ+1up8E9CNCuyN7cnQjcfc6VCfytaiIiwqy7JiN5Bsq
         +6rAR3dh3qrPVcmlnFTVKum8UPE7rAgPL7wp4U8M1elAaQWROdeftqrYJQYtCSsKh5O0
         w9q/D9N7EULlWuP1rtxmupL2FT7TxNK/+kSNKsRAE7zkTW/KM8zceTgseUXiCpp9NS/9
         BNSQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:dkim-signature:date;
        bh=BxtZvAQIwy3tRjZg+7GyLrseN3zxMNyVyd3LKLpf4iQ=;
        fh=2DgPezPx8TTjfcIaOzxQP8pPe6ghUU0zoPweBbuRrOM=;
        b=UPfUQtMjmohUs3s0VTt8SvGW4Ch/x74CUmW5FghMly7JpxmDW/A5WnVRCVK0SGyOAb
         KbqIodMjXKtXhVgGMEDywFAP2ur5HgO7de+kRRRF39hkgHikda0AWMyqap+kp3FRmzWd
         KDFgMCahJjLrWYInT7tVMMgwfU4bXRmu2KbKOyM4uMNV/to6ebe4NV1MFLS9XI7GDNa6
         H7JQ8dD2kHDKGnSqPrv6T59gOinbt1Rka89vyz2lusAP/+Kh5KH4MpVftZAkosh6Tgm2
         rznxlOR/F6JfnjV6BMkSn6EtRUFOq7y6zAVzEIFeuy8YVxDQl5LzwNav1WKsWSf3s0s8
         XGRQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b="XploBwL/";
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id a640c23a62f3a-a5a1794691esi111803966b.57.2024.05.09.12.32.37
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 May 2024 12:32:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b="XploBwL/";
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-174825-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 56C911F23117
	for <linux.lists.archive@gmail.com>; Thu,  9 May 2024 19:32:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 64B8C7FBAA;
	Thu,  9 May 2024 19:32:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="XploBwL/"
Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0BCD7F7CC
	for <linux-kernel@vger.kernel.org>; Thu,  9 May 2024 19:32:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715283149; cv=none; b=GFBNU1J279aweCo9VTKZrgae4GAubbwcZQWCs1Y1Veseh032Nw1W9q0uZmilAbSOLq0zRd1hEm3T/lMJfQCaK05YrHf/TJOBbdoVcgTpyIE4W6X0oEHuNZoE+7dqcqqpHL2Qpa1ihqmw5zxofqVsWJ7OXQ7hlWkKFaEsk72e39E=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715283149; c=relaxed/simple;
	bh=s2TYtBfBeijGY2qR+HyjFf/zHVL+F9y8E+zetnHVtQw=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=o4ZnW2ki8YqH7Y5ca6Wl6Flpxo6WtCbYAYzwTJMrdKp8F+cE/y3mLTqXaLofcKdLlmeb4mDn08CcepJ01fRvCpCQdjqoA7zpmqZbU0/B/sz5KnSjU2I88qqh/KI7TZqo+oIBREkxQFobTbEy6Ec7pus7z2F6QTw343J1ojj0ORk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=XploBwL/; arc=none smtp.client-ip=91.218.175.183
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Date: Thu, 9 May 2024 15:32:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1715283143;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=BxtZvAQIwy3tRjZg+7GyLrseN3zxMNyVyd3LKLpf4iQ=;
	b=XploBwL/Z32I6PjY7cwf0f3uPtf1hHELji6r0Lspy1VodilW7lH4NV3TbUff0Cc34+mCaz
	+ZCQmJ71QmJyetKU5wlzMDFlPFYvheKqXK8dtDvUfI7rIPpL5OEN7OYlg/CLhDVNE1uOhz
	e1UdCI6XQby6uNk65uPM97TIC13EXmo=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Kent Overstreet <kent.overstreet@linux.dev>
To: Camila Alvarez <cam.alvarez.i@gmail.com>
Cc: Brian Foster <bfoster@redhat.com>, linux-bcachefs@vger.kernel.org, 
	linux-kernel@vger.kernel.org, syzbot+9833a1d29d4a44361e2c@syzkaller.appspotmail.com
Subject: Re: [PATCH] bcachefs: guard against invalid bits_per_field in
 bch2_bkey_format_invalid
Message-ID: <ygq5bsdf4suuqp3sfa4lj5ko6afk3kbhtyuo6e6fe6eiwr2uv5@u3igdwmfaful>
References: <20240509014030.671222-1-cam.alvarez.i@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240509014030.671222-1-cam.alvarez.i@gmail.com>
X-Migadu-Flow: FLOW_OUT

On Wed, May 08, 2024 at 09:40:32PM -0400, Camila Alvarez wrote:
> A check for a valid value for bits_per_field is performed for each field before computing packed_max.
> If bits_per_field is invalid for any field the whole format is deemed
> invalid.
> 
> Reported-by: syzbot+9833a1d29d4a44361e2c@syzkaller.appspotmail.com
> Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
> ---
>  fs/bcachefs/bcachefs_format.h |  8 ++++++++
>  fs/bcachefs/bkey.c            | 18 ++++++++++++++++--
>  2 files changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h
> index d5b90439e581..9e688a8d780f 100644
> --- a/fs/bcachefs/bcachefs_format.h
> +++ b/fs/bcachefs/bcachefs_format.h
> @@ -318,6 +318,14 @@ enum bch_bkey_fields {
>  #define bkey_format_field(name, field)					\
>  	[BKEY_FIELD_##name] = (sizeof(((struct bkey *) NULL)->field) * 8)
>  
> +#define BCH_BKEY_FIELDS()						\
> +	x(INODE,        p.inode)					\
> +	x(OFFSET,       p.offset)					\
> +	x(SNAPSHOT,     p.snapshot)					\
> +	x(SIZE,         size)						\
> +	x(VERSION_HI,   version.hi)					\
> +	x(VERSION_LO,   version.lo)	
> +
>  #define BKEY_FORMAT_CURRENT						\
>  ((struct bkey_format) {							\
>  	.key_u64s	= BKEY_U64s,					\
> diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
> index 76e79a15ba08..f7847c96a105 100644
> --- a/fs/bcachefs/bkey.c
> +++ b/fs/bcachefs/bkey.c
> @@ -638,6 +638,13 @@ struct bkey_format bch2_bkey_format_done(struct bkey_format_state *s)
>  	return ret;
>  }
>  
> +static unsigned bch2_max_bits_per_field[] = {
> +#define x(name, field) \
> +	bkey_format_field(name, field),
> +	BCH_BKEY_FIELDS()
> +#undef x
> +};
> +
>  int bch2_bkey_format_invalid(struct bch_fs *c,
>  			     struct bkey_format *f,
>  			     enum bkey_invalid_flags flags,
> @@ -659,8 +666,15 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
>  		if (!c || c->sb.version_min >= bcachefs_metadata_version_snapshot) {
>  			unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
>  			u64 unpacked_max = ~((~0ULL << 1) << (unpacked_bits - 1));
> -			u64 packed_max = f->bits_per_field[i]
> -				? ~((~0ULL << 1) << (f->bits_per_field[i] - 1))
> +			unsigned bits_per_field = f->bits_per_field[i];
> +
> +			if (bits_per_field > bch2_max_bits_per_field[i]) {
> +				prt_printf(err, "field %u uses more bits than allowed: %u > %u",
> +						i, bits_per_field, bch2_max_bits_per_field[i]);
> +				return -BCH_ERR_invalid;
> +			}
> +			u64 packed_max = bits_per_field
> +				? ~((~0ULL << 1) << (bits_per_field - 1))
>  				: 0;
>  			u64 field_offset = le64_to_cpu(f->field_offset[i]);
>  
> -- 
> 2.34.1
> 

Already applied this patch:

commit 61692c7812ab2aca17a3751f6e7798acbdae4b6b
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date:   Wed May 8 10:58:26 2024 -0400

    bcachefs: bch2_bkey_format_field_overflows()
    
    Fix another shift-by-64 by factoring out a common helper for
    bch2_bkey_format_invalid() and bformat_needs_redo() (where it was
    already fixed).
    
    Reported-by: syzbot+9833a1d29d4a44361e2c@syzkaller.appspotmail.com
    Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/bkey.c b/fs/bcachefs/bkey.c
index 76e79a15ba08..952299a2e416 100644
--- a/fs/bcachefs/bkey.c
+++ b/fs/bcachefs/bkey.c
@@ -656,20 +656,17 @@ int bch2_bkey_format_invalid(struct bch_fs *c,
 	 * unpacked format:
 	 */
 	for (i = 0; i < f->nr_fields; i++) {
-		if (!c || c->sb.version_min >= bcachefs_metadata_version_snapshot) {
+		if ((!c || c->sb.version_min >= bcachefs_metadata_version_snapshot) &&
+		    bch2_bkey_format_field_overflows(f, i)) {
 			unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
 			u64 unpacked_max = ~((~0ULL << 1) << (unpacked_bits - 1));
 			u64 packed_max = f->bits_per_field[i]
 				? ~((~0ULL << 1) << (f->bits_per_field[i] - 1))
 				: 0;
-			u64 field_offset = le64_to_cpu(f->field_offset[i]);
 
-			if (packed_max + field_offset < packed_max ||
-			    packed_max + field_offset > unpacked_max) {
-				prt_printf(err, "field %u too large: %llu + %llu > %llu",
-					   i, packed_max, field_offset, unpacked_max);
-				return -BCH_ERR_invalid;
-			}
+			prt_printf(err, "field %u too large: %llu + %llu > %llu",
+				   i, packed_max, le64_to_cpu(f->field_offset[i]), unpacked_max);
+			return -BCH_ERR_invalid;
 		}
 
 		bits += f->bits_per_field[i];
diff --git a/fs/bcachefs/bkey.h b/fs/bcachefs/bkey.h
index 3a45d128f608..1bb0bd4371b0 100644
--- a/fs/bcachefs/bkey.h
+++ b/fs/bcachefs/bkey.h
@@ -574,6 +574,29 @@ static inline void bch2_bkey_format_add_key(struct bkey_format_state *s, const s
 
 void bch2_bkey_format_add_pos(struct bkey_format_state *, struct bpos);
 struct bkey_format bch2_bkey_format_done(struct bkey_format_state *);
+
+static inline bool bch2_bkey_format_field_overflows(struct bkey_format *f, unsigned i)
+{
+	unsigned f_bits = f->bits_per_field[i];
+	unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
+	u64 unpacked_mask = ~((~0ULL << 1) << (unpacked_bits - 1));
+	u64 field_offset = le64_to_cpu(f->field_offset[i]);
+
+	if (f_bits > unpacked_bits)
+		return true;
+
+	if ((f_bits == unpacked_bits) && field_offset)
+		return true;
+
+	u64 f_mask = f_bits
+		? ~((~0ULL << (f_bits - 1)) << 1)
+		: 0;
+
+	if (((field_offset + f_mask) & unpacked_mask) < field_offset)
+		return true;
+	return false;
+}
+
 int bch2_bkey_format_invalid(struct bch_fs *, struct bkey_format *,
 			     enum bkey_invalid_flags, struct printbuf *);
 void bch2_bkey_format_to_text(struct printbuf *, const struct bkey_format *);
diff --git a/fs/bcachefs/move.c b/fs/bcachefs/move.c
index 4d94b7742dbb..45984a688e5b 100644
--- a/fs/bcachefs/move.c
+++ b/fs/bcachefs/move.c
@@ -975,26 +975,10 @@ static bool migrate_btree_pred(struct bch_fs *c, void *arg,
  */
 static bool bformat_needs_redo(struct bkey_format *f)
 {
-	for (unsigned i = 0; i < f->nr_fields; i++) {
-		unsigned f_bits = f->bits_per_field[i];
-		unsigned unpacked_bits = bch2_bkey_format_current.bits_per_field[i];
-		u64 unpacked_mask = ~((~0ULL << 1) << (unpacked_bits - 1));
-		u64 field_offset = le64_to_cpu(f->field_offset[i]);
-
-		if (f_bits > unpacked_bits)
-			return true;
-
-		if ((f_bits == unpacked_bits) && field_offset)
+	for (unsigned i = 0; i < f->nr_fields; i++)
+		if (bch2_bkey_format_field_overflows(f, i))
 			return true;
 
-		u64 f_mask = f_bits
-			? ~((~0ULL << (f_bits - 1)) << 1)
-			: 0;
-
-		if (((field_offset + f_mask) & unpacked_mask) < field_offset)
-			return true;
-	}
-
 	return false;
 }