From: Dave Kleikamp <dave.kleikamp@oracle.com>
To: Pavel Skripkin <paskripkin@gmail.com>, shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] jfs: fix divide error in dbNextAG
Date: Tue, 22 Mar 2022 10:25:52 -0500 [thread overview]
Message-ID: <11ce83d5-6080-5474-02de-677a4116405d@oracle.com> (raw)
In-Reply-To: <20220319193000.6449-1-paskripkin@gmail.com>
Thanks. I'll push this for 5.18.
Shaggy
On 3/19/22 2:30PM, Pavel Skripkin wrote:
> Syzbot reported divide error in dbNextAG(). The problem was in missing
> validation check for malicious image.
>
> Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
> validation checks, but dbNextAG() blindly use bmp->db_numag in divide
> expression
>
> Fix it by validating bmp->db_numag in dbMount() and return an error if
> image is malicious
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
>
> Changes since v1:
> - Add missing clean up in case of error
>
> ---
> fs/jfs/jfs_dmap.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 91f4ec93dab1..d8502f4989d9 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -148,6 +148,7 @@ static const s8 budtab[256] = {
> * 0 - success
> * -ENOMEM - insufficient memory
> * -EIO - i/o error
> + * -EINVAL - wrong bmap data
> */
> int dbMount(struct inode *ipbmap)
> {
> @@ -179,6 +180,12 @@ int dbMount(struct inode *ipbmap)
> bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
> bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
> bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
> + if (!bmp->db_numag) {
> + release_metapage(mp);
> + kfree(bmp);
> + return -EINVAL;
> + }
> +
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
prev parent reply other threads:[~2022-03-22 15:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-19 19:16 [PATCH] jfs: fix divide error in dbNextAG Pavel Skripkin
2022-03-19 19:30 ` [PATCH v2] " Pavel Skripkin
2022-03-22 15:25 ` Dave Kleikamp [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11ce83d5-6080-5474-02de-677a4116405d@oracle.com \
--to=dave.kleikamp@oracle.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=shaggy@kernel.org \
--cc=syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.