bcachefs: Fix oob write in __bch2_btree_node_write

Fix a possible out of bounds write in __bch2_btree_node_write when the data buffer padding is cleared up to the block size. The out of bounds write is possible if the data buffers size is not a multiple of the block size. Signed-off-by: Dan Robertson <dan@dlrobertson.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: Fix oob write in __bch2_btree_node_write
Fix a possible out of bounds write in __bch2_btree_node_write when the data buffer padding is cleared up to the block size. The out of bounds write is possible if the data buffers size is not a multiple of the block size. Signed-off-by: Dan Robertson <dan@dlrobertson.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
5bc38f44 · Dan Robertson · Kent Overstreet · 1784d43a · 5bc38f44
Commit 5bc38f44 authored May 07, 2021 by Dan Robertson Committed by Kent Overstreet Oct 22, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

fs/bcachefs/btree_io.c fs/bcachefs/btree_io.c +3 -0

No files found.
--- a/fs/bcachefs/btree_io.c
+++ b/fs/bcachefs/btree_io.c
@@ -1500,6 +1500,9 @@ void __bch2_btree_node_write(struct bch_fs *c, struct btree *b)
 	/* bch2_varint_decode may read up to 7 bytes past the end of the buffer: */
 	bytes += 8;

+	/* buffer must be a multiple of the block size */
+	bytes = round_up(bytes, block_bytes(c));
+
 	data = btree_bounce_alloc(c, bytes, &used_mempool);

 	if (!b->written) {