From 6eb7c99b2932a6058a033d0a805e5883d0bb1e9f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
Date: Sat, 21 Jan 2023 05:01:55 +0000
Subject: [PATCH] libblkid: bcachefs: fix endless loop

When a field has size 0 it will loop forever.

See #2031
---
 libblkid/src/superblocks/bcache.c              |  11 ++++++++++-
 .../test_blkid_fuzz_files/oss-fuzz-55291       | Bin 0 -> 131305 bytes
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291

diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
index 64ece86471..4848534e60 100644
--- a/libblkid/src/superblocks/bcache.c
+++ b/libblkid/src/superblocks/bcache.c
@@ -183,10 +183,19 @@ static void probe_bcachefs_sb_fields(blkid_probe pr, const struct bcachefs_super
 
 	while (1) {
 		struct bcachefs_sb_field *field = (struct bcachefs_sb_field *) field_addr;
+		uint64_t field_size;
 		int32_t type;
 
 		if ((unsigned char *) field + sizeof(*field) > sb_end)
-			return;
+			break;
+
+		field_size = BYTES(field);
+
+		if (field_size < sizeof(*field))
+			break;
+
+		if ((unsigned char *) field + field_size > sb_end)
+			break;
 
 		type = le32_to_cpu(field->type);
 		if (!type)
diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291
new file mode 100644
index 0000000000000000000000000000000000000000..79e2fd0fb505d8471138e45a03376fdff1f4bfbd
GIT binary patch
literal 131305
zc-rmTe@K*f9KiAK^LTov=4DYK{o}K8YYVl~{utCiE04jVw!B1;<O~`yj54J)&~$@f
z8~qWDz(4m#2DOHRg+x)SKej<320_J+jMdQwLKe$r$obj#xqI$B&%2U~%;o!K_k5o3
z_xbw$_5ARO=Q*VS00000bHQ(iTc2)OT66WQT_c?zp5ODO$~PnV9%sA9!yLWIO8zeG
zNK6;#pH#=i_ghz9H+y`&=Z>9h+PUc1dEdp=d%J$ze7$$;qC*{r|M_ln)6QMZ&uJ%i
z7-dhSjbC(JI{(+DCD+=P*m;KjxD8L2TCl({FE21M8Bf=@?n&wS9Pdav4($VL|4HxQ
z=Dv+>r}tfZzb9{GxN71EiY&MNxjzt1d#x1J%*%CF-gV*%C%)svw`1p*6PG)2nG@e~
zqJ8vb*&johcE8T(PfkKZE+-oLC)+6>O`Gv^DR%B8rH!PtnUu~-Oq))-UCvpTWf+t4
z<K>+EqJ(oMQRxfjKQ?YpVKg30x<14Q?8u7k730+$5BB)n&&f}2Hb1f_bTk%D`5j3i
zex1Fz@~6<x-vrY2!`K&T$;j6&XHx&XSpPb1|F!RG?eA&Z`8w8)E2DP&_j}HsT=iLB
z+WPAam15ce00000000000002+#^4RSxs5kYIo{`zmwn@uH%)odG}-HX)08(%0RX_O
zpl=7(>CX=-H*P;YC9CP<kFs2O$u|mVtDjuM!@+{U<XW=J_V3-Z=F`?P)uYU)p#w)>
za1-O)ROZRF*f)J?x5Tx?@4_ALrI@OJ^*_6qVcECOzVd3nWi6R3`TxWKFx~4b=I$S2
zTP`yJ003t9?Fvs5007{wfTsx&JWT*Fqj;Ktq`z@IO#lD@00000000000GQ=UnF0U+
z00000000000000000000%mSY?1poj500000000000000000000{+A9}$~1KJ`|4}#
zsO*KT8&htPyW=8((VItl&pl{v+OVm)(z5xg{go9udW$c0wx3ycr7e(Gch-Bst@;Za
zhaOdg`qe3sPT9D<OxG&fV~HEBTPXQX%aP)1rxusg#nW&vj)ZP+Vx~2vm}g@3sXFMa
znYn&FjuK05jfbC!RO^A;!*2+S)YSWG>-9+Wc6&aS=j0gadhl?tAmEppd)=R$C^l51
zdwrjI+*otNHLTQu@{WP%NJexILOQDMXcr>=SrzN}idbDOsT$aks^?OAS)SNyN>wS5
zP_@15%wfANWtl@q-2+=Bct50EW6@ozmmUeOE-K7vZE4-DZmVE0cqiDPml^eM=37iN
zBkdW@h|V*o(Z@&$mt9)Ik_ML$00000000000001x84+<a3jhEB000000000000000
z00000000000Kg0=WeNZQ00000000000000000000W~&dF0ssI2000000000000000
z00000nB@*x$~1KJ`|4}#sO*KT8&htPyW=8((VItl&pl{v+OVm)(z5xg{go9udW$c0
zwx3ycr7e(Gch-Bst@;ZahaOdg`qe3sPT9D<OxG&fV~HEBTPXQX%aP)1rxusg#nW&v
zj)ZP+Vx~2vm}g@3sXFManYn&FjuK05jfbC!RO^A;!*2+S)YSWG>-9+Wc6&aS=j0ga
zdhl?tAmEppd)=R$C^l51dwrjI+*otNHLTQu@{WP%NJexILOQDMXcr>=SrzN}idbDO
zsT$aks^?OAS)SNyN>wS5P_@15%wfANWtl@q-2+=Bct50EW6@ozmmUeOE-K7vZE4-D
zZmVE0cqiDPml^eM=37iNBkdW@h|V*o(Z@&$mt9)Ik_ML$00000000000001x84+<a
z3jhEB000000AS9^o<n2Zw#!$m)|UUFOv6w{SS?Y{l(NP}zNi{6dZ{mYzmCx)ezAO-
MzmoF%=MjGS588`yZ2$lO

literal 0
Hc-jL100001

-- 
2.47.2