fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191

From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191
Date: Wed, 08 Dec 2021 18:58:15 +0800	[thread overview]
Message-ID: <202112081732.7p50rsrC-lkp@intel.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 7568 bytes --]

CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Gao Xiang <hsiangkao@redhat.com>
CC: Chao Yu <yuchao0@huawei.com>, Chao Yu <chao@kernel.org>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   2a987e65025e2b79c6d453b78cb5985ac6e5eb26
commit: 14373711dd54be8a84e2f4f624bc58787f80cfbd erofs: add on-disk compression configurations
date:   8 months ago
:::::: branch date: 9 hours ago
:::::: commit date: 8 months ago
config: arc-randconfig-m031-20211208 (https://download.01.org/0day-ci/archive/20211208/202112081732.7p50rsrC-lkp(a)intel.com/config)
compiler: arc-elf-gcc (GCC) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191
fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191
fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191
fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191

Old smatch warnings:
arch/arc/include/asm/thread_info.h:65 current_thread_info() error: uninitialized symbol 'sp'.

vim +/ptr +149 fs/erofs/super.c

5efe5137f05bbb drivers/staging/erofs/super.c Gao Xiang 2019-06-13  124  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  125  #ifdef CONFIG_EROFS_FS_ZIP
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  126  /* read variable-sized metadata, offset will be aligned by 4-byte */
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  127  static void *erofs_read_metadata(struct super_block *sb, struct page **pagep,
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  128  				 erofs_off_t *offset, int *lengthp)
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  129  {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  130  	struct page *page = *pagep;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  131  	u8 *buffer, *ptr;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  132  	int len, i, cnt;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  133  	erofs_blk_t blk;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  134  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  135  	*offset = round_up(*offset, 4);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  136  	blk = erofs_blknr(*offset);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  137  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  138  	if (!page || page->index != blk) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  139  		if (page) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  140  			unlock_page(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  141  			put_page(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  142  		}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  143  		page = erofs_get_meta_page(sb, blk);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  144  		if (IS_ERR(page))
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  145  			goto err_nullpage;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  146  	}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  147  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  148  	ptr = kmap(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29 @149  	len = le16_to_cpu(*(__le16 *)&ptr[erofs_blkoff(*offset)]);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  150  	if (!len)
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  151  		len = U16_MAX + 1;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  152  	buffer = kmalloc(len, GFP_KERNEL);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  153  	if (!buffer) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  154  		buffer = ERR_PTR(-ENOMEM);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  155  		goto out;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  156  	}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  157  	*offset += sizeof(__le16);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  158  	*lengthp = len;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  159  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  160  	for (i = 0; i < len; i += cnt) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  161  		cnt = min(EROFS_BLKSIZ - (int)erofs_blkoff(*offset), len - i);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  162  		blk = erofs_blknr(*offset);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  163  
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  164  		if (!page || page->index != blk) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  165  			if (page) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  166  				kunmap(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  167  				unlock_page(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  168  				put_page(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  169  			}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  170  			page = erofs_get_meta_page(sb, blk);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  171  			if (IS_ERR(page)) {
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  172  				kfree(buffer);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  173  				goto err_nullpage;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  174  			}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  175  			ptr = kmap(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  176  		}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  177  		memcpy(buffer + i, ptr + erofs_blkoff(*offset), cnt);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  178  		*offset += cnt;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  179  	}
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  180  out:
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  181  	kunmap(page);
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  182  	*pagep = page;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  183  	return buffer;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  184  err_nullpage:
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  185  	*pagep = NULL;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  186  	return page;
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  187  }
14373711dd54be fs/erofs/super.c              Gao Xiang 2021-03-29  188  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org