From 6b9fda87c4e5d0c6f945d7565197f157b9fa3d5f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Wed, 23 Aug 2023 11:58:33 +0200 Subject: [PATCH] libblkid: (bcachefs) fix size validation MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Avoid signed shift out-of-bounds. Also mark the constants explitly as unsigned instead of casting. Signed-off-by: Thomas Weißschuh (cherry picked from commit befe455f59de8c7bc66b85ed52aae8cbc95325fa) --- libblkid/src/superblocks/bcache.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c index 6ab3fe9d4c..28ac4b52be 100644 --- a/libblkid/src/superblocks/bcache.c +++ b/libblkid/src/superblocks/bcache.c @@ -142,17 +142,19 @@ struct bcachefs_super_block { /* magic string len */ #define BCACHE_SB_MAGIC_LEN (sizeof(BCACHE_SB_MAGIC) - 1) /* super block offset */ -#define BCACHE_SB_OFF 0x1000 +#define BCACHE_SB_OFF 0x1000U /* supper block offset in kB */ #define BCACHE_SB_KBOFF (BCACHE_SB_OFF >> 10) /* magic string offset within super block */ #define BCACHE_SB_MAGIC_OFF offsetof(struct bcache_super_block, magic) /* start of checksummed data within superblock */ -#define BCACHE_SB_CSUMMED_START 8 +#define BCACHE_SB_CSUMMED_START 8U /* granularity of offset and length fields within superblock */ -#define BCACHEFS_SECTOR_SIZE 512 +#define BCACHEFS_SECTOR_SIZE 512U +/* maximum superblock size shift */ +#define BCACHEFS_SB_MAX_SIZE_SHIFT 0x10U /* maximum superblock size */ -#define BCACHEFS_SB_MAX_SIZE 0x100000 +#define BCACHEFS_SB_MAX_SIZE (1U << BCACHEFS_SB_MAX_SIZE_SHIFT) /* fields offset within super block */ #define BCACHEFS_SB_FIELDS_OFF offsetof(struct bcachefs_super_block, _start) /* tag value for members field */ @@ -311,12 +313,16 @@ static int probe_bcachefs(blkid_probe pr, const struct blkid_idmag *mag) return BLKID_PROBE_NONE; sb_size = BCACHEFS_SB_FIELDS_OFF + BYTES(bcs); - if (sb_size > ((uint64_t) BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits)) - return BLKID_PROBE_NONE; if (sb_size > BCACHEFS_SB_MAX_SIZE) return BLKID_PROBE_NONE; + if (bcs->layout.sb_max_size_bits > BCACHEFS_SB_MAX_SIZE_SHIFT) + return BLKID_PROBE_NONE; + + if (sb_size > (BCACHEFS_SECTOR_SIZE << bcs->layout.sb_max_size_bits)) + return BLKID_PROBE_NONE; + sb = blkid_probe_get_sb_buffer(pr, mag, sb_size); if (!sb) return BLKID_PROBE_NONE; -- 2.47.2