Forwarded: [PATCH] btrfs: validate block device block size before reading superblock

Posted by syzbot 4 weeks, 1 day ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] btrfs: validate block device block size before reading superblock
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When mounting a block device with a block size larger than PAGE_SIZE,
the buffer head allocation in folio_alloc_buffers() returns NULL because
the allocation loop never executes when blocksize > folio_size. This
leads to a NULL pointer dereference in create_empty_buffers() when
accessing bh->b_state.

The crash was triggered by syzbot mounting a null_blk device as btrfs,
where the block device had a block size exceeding PAGE_SIZE.

Add validation in btrfs_read_disk_super() to reject block devices with
block sizes larger than PAGE_SIZE before attempting to read the
superblock.

Reported-by: syzbot+b4a2af3000eaa84d95d5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b4a2af3000eaa84d95d5
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/btrfs/volumes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 13c514684cfb..d79e2a19c046 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1341,6 +1341,9 @@ struct btrfs_super_block *btrfs_read_disk_super(struct block_device *bdev,
 	struct address_space *mapping = bdev->bd_mapping;
 	int ret;
 
+	if (!mapping->host ||
+	    (1 << mapping->host->i_blkbits) > PAGE_SIZE)
+		return ERR_PTR(-EINVAL);
 	bytenr_orig = btrfs_sb_offset(copy_num);
 	ret = btrfs_sb_log_location_bdev(bdev, copy_num, READ, &bytenr);
 	if (ret < 0) {
-- 
2.43.0