From: Thomas Weißschuh <thomas@t-8ch.de>
Date: Wed, 23 Aug 2023 09:58:33 +0000 (+0200)
Subject: libblkid: (bcachefs) fix size validation
X-Git-Tag: v2.40-rc1~265
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=befe455f59de8c7bc66b85ed52aae8cbc95325fa;p=thirdparty%2Futil-linux.git

libblkid: (bcachefs) fix size validation

Avoid signed shift out-of-bounds.

Also mark the constants explitly as unsigned instead of casting.

Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
---

diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
index b15134616d..0f7ddd220d 100644
--- a/libblkid/src/superblocks/bcache.c
+++ b/libblkid/src/superblocks/bcache.c
@@ -143,17 +143,19 @@ struct bcachefs_super_block {
 /* magic string len */
 #define BCACHE_SB_MAGIC_LEN (sizeof(BCACHE_SB_MAGIC) - 1)
 /* super block offset */
-#define BCACHE_SB_OFF       0x1000
+#define BCACHE_SB_OFF       0x1000U
 /* supper block offset in kB */
 #define BCACHE_SB_KBOFF     (BCACHE_SB_OFF >> 10)
 /* magic string offset within super block */
 #define BCACHE_SB_MAGIC_OFF offsetof(struct bcache_super_block, magic)
 /* start of checksummed data within superblock */
-#define BCACHE_SB_CSUMMED_START 8
+#define BCACHE_SB_CSUMMED_START 8U
 /* granularity of offset and length fields within superblock */
-#define BCACHEFS_SECTOR_SIZE   512
+#define BCACHEFS_SECTOR_SIZE   512U
+/* maximum superblock size shift */
+#define BCACHEFS_SB_MAX_SIZE_SHIFT   0x10U
 /* maximum superblock size */
-#define BCACHEFS_SB_MAX_SIZE   0x100000
+#define BCACHEFS_SB_MAX_SIZE   (1U << BCACHEFS_SB_MAX_SIZE_SHIFT)
 /* fields offset within super block */
 #define BCACHEFS_SB_FIELDS_OFF offsetof(struct bcachefs_super_block, _start)
 /* tag value for members field */
@@ -325,12 +327,16 @@ static int probe_bcachefs(blkid_probe pr, const struct blkid_idmag *mag)
 		return BLKID_PROBE_NONE;
 
 	sb_size = BCACHEFS_SB_FIELDS_OFF + BYTES(bcs);
-	if (sb_size > ((uint64_t) BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits))
-		return BLKID_PROBE_NONE;
 
 	if (sb_size > BCACHEFS_SB_MAX_SIZE)
 		return BLKID_PROBE_NONE;
 
+	if (bcs->layout.sb_max_size_bits > BCACHEFS_SB_MAX_SIZE_SHIFT)
+		return BLKID_PROBE_NONE;
+
+	if (sb_size > (BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits))
+		return BLKID_PROBE_NONE;
+
 	sb = blkid_probe_get_sb_buffer(pr, mag, sb_size);
 	if (!sb)
 		return BLKID_PROBE_NONE;