Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Out of Bounds Memory Access with small btree node sizes #9
Running bcachefs-tools with GCC's address sanitizer enabled alerts to an out of bounds heap access when checking a filesystem with a small btree node size (under 4KB).
Note: on Ubuntu 18.04, I had to preload libasan for it to work, ymmv in this regard. Just prepend the following to all the above bcachefs commands.
The relevant call stack from the bug:
The issue appears to stem from a btree node that spans 2 pages, but since the node size is < 1 page, bio_alloc_bioset() is currently only allocating 1 inline bio_vec struct to hold the bio data (when it needs 2).
In theory this would affect any btree nodes that aren't page aligned, but I've only been able to produce the bug with btree node sizes under 4KB.
Thanks for the bug report!
I fixed it a bit differently - we don't really want to allocate an extra bvec when it's not needed, since usually (at least in the kernel) the btree node buffer will be page aligned, and it'll be a power of two size, so allocating an extra bvec will often end up bumping up the size of the allocation.
There were also a couple other bio allocations that needed to be fixed - but, good catch :)