bcachefs: Fix an out of bounds read

bch2_varint_decode() can read up to 7 bytes past the end of the buffer,
which means we need to allocate slightly larger key cache buffers.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/btree_key_cache.c b/fs/bcachefs/btree_key_cache.c
index 0716c3314a36a32bcf80cf388c4935d2967aad10..019d4d164553b6d99a2a111dad56bf6595d54e1c 100644 (file)
--- a/fs/bcachefs/btree_key_cache.c
+++ b/fs/bcachefs/btree_key_cache.c
@@ -219,8 +219,14 @@ static int btree_key_cache_fill(struct btree_trans *trans,
                goto err;
        }
 
-       if (k.k->u64s > ck->u64s) {
-               new_u64s = roundup_pow_of_two(k.k->u64s);
+       /*
+        * bch2_varint_decode can read past the end of the buffer by at
+        * most 7 bytes (it won't be used):
+        */
+       new_u64s = k.k->u64s + 1;
+
+       if (new_u64s > ck->u64s) {
+               new_u64s = roundup_pow_of_two(new_u64s);
                new_k = kmalloc(new_u64s * sizeof(u64), GFP_NOFS);
                if (!new_k) {
                        ret = -ENOMEM;

diff --git a/fs/bcachefs/btree_update_leaf.c b/fs/bcachefs/btree_update_leaf.c
index 96b53effded7b521b946731e247e00599924fbc4..e537bd64e1fbbe5c5d399e882cc3ae7c07468b7f 100644 (file)
--- a/fs/bcachefs/btree_update_leaf.c
+++ b/fs/bcachefs/btree_update_leaf.c
@@ -293,6 +293,12 @@ btree_key_can_insert_cached(struct btree_trans *trans,
            !(trans->flags & BTREE_INSERT_JOURNAL_RECLAIM))
                return BTREE_INSERT_NEED_JOURNAL_RECLAIM;
 
+       /*
+        * bch2_varint_decode can read past the end of the buffer by at most 7
+        * bytes (it won't be used):
+        */
+       u64s += 1;
+
        if (u64s <= ck->u64s)
                return BTREE_INSERT_OK;