From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============3308531899713163327==" MIME-Version: 1.0 From: kernel test robot Subject: fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 4096 <= 8191 Date: Thu, 09 Dec 2021 20:48:28 +0800 Message-ID: <202112092024.Xtcn66QP-lkp@intel.com> List-Id: To: kbuild@lists.01.org --===============3308531899713163327== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable CC: kbuild-all(a)lists.01.org CC: linux-kernel(a)vger.kernel.org TO: Gao Xiang CC: Chao Yu , Chao Yu tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git = master head: 2a987e65025e2b79c6d453b78cb5985ac6e5eb26 commit: 14373711dd54be8a84e2f4f624bc58787f80cfbd erofs: add on-disk compres= sion configurations date: 9 months ago :::::: branch date: 2 days ago :::::: commit date: 9 months ago config: arc-randconfig-m031-20211208 (https://download.01.org/0day-ci/archi= ve/20211209/202112092024.Xtcn66QP-lkp(a)intel.com/config) compiler: arc-elf-gcc (GCC) 11.2.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot Reported-by: Dan Carpenter New smatch warnings: fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 409= 6 <=3D 8191 fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 409= 6 <=3D 8191 fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 409= 6 <=3D 8191 fs/erofs/super.c:149 erofs_read_metadata() error: buffer overflow 'ptr' 409= 6 <=3D 8191 Old smatch warnings: arch/arc/include/asm/thread_info.h:65 current_thread_info() error: uninitia= lized symbol 'sp'. vim +/ptr +149 fs/erofs/super.c 5efe5137f05bbb4 drivers/staging/erofs/super.c Gao Xiang 2019-06-13 124 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 125 #i= fdef CONFIG_EROFS_FS_ZIP 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 126 /*= read variable-sized metadata, offset will be aligned by 4-byte */ 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 127 st= atic void *erofs_read_metadata(struct super_block *sb, struct page **pagep, 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 128 = erofs_off_t *offset, int *lengthp) 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 129 { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 130 s= truct page *page =3D *pagep; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 131 u= 8 *buffer, *ptr; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 132 i= nt len, i, cnt; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 133 e= rofs_blk_t blk; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 134 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 135 *= offset =3D round_up(*offset, 4); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 136 b= lk =3D erofs_blknr(*offset); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 137 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 138 i= f (!page || page->index !=3D blk) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 139 = if (page) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 140 = unlock_page(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 141 = put_page(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 142 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 143 = page =3D erofs_get_meta_page(sb, blk); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 144 = if (IS_ERR(page)) 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 145 = goto err_nullpage; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 146 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 147 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 148 p= tr =3D kmap(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 @149 l= en =3D le16_to_cpu(*(__le16 *)&ptr[erofs_blkoff(*offset)]); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 150 i= f (!len) 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 151 = len =3D U16_MAX + 1; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 152 b= uffer =3D kmalloc(len, GFP_KERNEL); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 153 i= f (!buffer) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 154 = buffer =3D ERR_PTR(-ENOMEM); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 155 = goto out; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 156 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 157 *= offset +=3D sizeof(__le16); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 158 *= lengthp =3D len; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 159 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 160 f= or (i =3D 0; i < len; i +=3D cnt) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 161 = cnt =3D min(EROFS_BLKSIZ - (int)erofs_blkoff(*offset), len - i); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 162 = blk =3D erofs_blknr(*offset); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 163 = 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 164 = if (!page || page->index !=3D blk) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 165 = if (page) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 166 = kunmap(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 167 = unlock_page(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 168 = put_page(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 169 = } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 170 = page =3D erofs_get_meta_page(sb, blk); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 171 = if (IS_ERR(page)) { 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 172 = kfree(buffer); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 173 = goto err_nullpage; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 174 = } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 175 = ptr =3D kmap(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 176 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 177 = memcpy(buffer + i, ptr + erofs_blkoff(*offset), cnt); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 178 = *offset +=3D cnt; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 179 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 180 ou= t: 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 181 k= unmap(page); 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 182 *= pagep =3D page; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 183 r= eturn buffer; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 184 er= r_nullpage: 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 185 *= pagep =3D NULL; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 186 r= eturn page; 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 187 } 14373711dd54be8 fs/erofs/super.c Gao Xiang 2021-03-29 188 = --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org --===============3308531899713163327==--