From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Sun, 25 Oct 2020 00:56:47 +0000 (-0400)
Subject: bcachefs: Fix rare use after free in read path
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=13dcd4abcd8d4e177f4f75ea3f5c8838a8a8c3c3;p=linux.git

bcachefs: Fix rare use after free in read path

If the bkey_on_stack_reassemble() call in __bch2_read_indirect_extent()
reallocates the buffer, k in bch2_read - which we pointed at the
bkey_on_stack buffer - will now point to a stale buffer. Whoops.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/fs-io.c b/fs/bcachefs/fs-io.c
index 0290f7410a5cb..edc3d73d26ba9 100644
--- a/fs/bcachefs/fs-io.c
+++ b/fs/bcachefs/fs-io.c
@@ -782,18 +782,19 @@ retry:
 		if (ret)
 			break;
 
-		bkey_on_stack_reassemble(&sk, c, k);
-		k = bkey_i_to_s_c(sk.k);
-
 		offset_into_extent = iter->pos.offset -
 			bkey_start_offset(k.k);
 		sectors = k.k->size - offset_into_extent;
 
+		bkey_on_stack_reassemble(&sk, c, k);
+
 		ret = bch2_read_indirect_extent(trans,
 					&offset_into_extent, &sk);
 		if (ret)
 			break;
 
+		k = bkey_i_to_s_c(sk.k);
+
 		sectors = min(sectors, k.k->size - offset_into_extent);
 
 		bch2_trans_unlock(trans);
diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index b214d58e94e9d..a61d5f8aecd6e 100644
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -911,20 +911,21 @@ retry:
 			continue;
 		}
 
-		bkey_on_stack_realloc(&cur, c, k.k->u64s);
-		bkey_on_stack_realloc(&prev, c, k.k->u64s);
-		bkey_reassemble(cur.k, k);
-		k = bkey_i_to_s_c(cur.k);
-
 		offset_into_extent	= iter->pos.offset -
 			bkey_start_offset(k.k);
 		sectors			= k.k->size - offset_into_extent;
 
+		bkey_on_stack_realloc(&cur, c, k.k->u64s);
+		bkey_on_stack_realloc(&prev, c, k.k->u64s);
+		bkey_reassemble(cur.k, k);
+
 		ret = bch2_read_indirect_extent(&trans,
 					&offset_into_extent, &cur);
 		if (ret)
 			break;
 
+		k = bkey_i_to_s_c(cur.k);
+
 		sectors = min(sectors, k.k->size - offset_into_extent);
 
 		if (offset_into_extent)
diff --git a/fs/bcachefs/io.c b/fs/bcachefs/io.c
index 5c12bfed3a7b4..03f5b9034aa70 100644
--- a/fs/bcachefs/io.c
+++ b/fs/bcachefs/io.c
@@ -1667,7 +1667,6 @@ retry:
 		unsigned bytes, sectors, offset_into_extent;
 
 		bkey_on_stack_reassemble(&sk, c, k);
-		k = bkey_i_to_s_c(sk.k);
 
 		offset_into_extent = iter->pos.offset -
 			bkey_start_offset(k.k);
@@ -1678,6 +1677,8 @@ retry:
 		if (ret)
 			break;
 
+		k = bkey_i_to_s_c(sk.k);
+
 		sectors = min(sectors, k.k->size - offset_into_extent);
 
 		bch2_trans_unlock(&trans);
@@ -2311,13 +2312,14 @@ retry:
 		sectors = k.k->size - offset_into_extent;
 
 		bkey_on_stack_reassemble(&sk, c, k);
-		k = bkey_i_to_s_c(sk.k);
 
 		ret = bch2_read_indirect_extent(&trans,
 					&offset_into_extent, &sk);
 		if (ret)
 			goto err;
 
+		k = bkey_i_to_s_c(sk.k);
+
 		/*
 		 * With indirect extents, the amount of data to read is the min
 		 * of the original extent and the indirect extent: