* [PATCH] jfs: fix divide error in dbNextAG
@ 2022-03-19 19:16 Pavel Skripkin
2022-03-19 19:30 ` [PATCH v2] " Pavel Skripkin
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Skripkin @ 2022-03-19 19:16 UTC (permalink / raw)
To: shaggy
Cc: jfs-discussion, linux-kernel, Pavel Skripkin,
syzbot+46f5c25af73eb8330eb6
Syzbot reported divide error in dbNextAG(). The problem was in missing
validation check for malicious image.
Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
validation checks, but dbNextAG() blindly use bmp->db_numag in divide
expression
Fix it by validating bmp->db_numag in dbMount() and return an error if
image is malicious
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 91f4ec93dab1..633a9aff0868 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -148,6 +148,7 @@ static const s8 budtab[256] = {
* 0 - success
* -ENOMEM - insufficient memory
* -EIO - i/o error
+ * -EINVAL - wrong bmap data
*/
int dbMount(struct inode *ipbmap)
{
@@ -179,6 +180,9 @@ int dbMount(struct inode *ipbmap)
bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+ if (!bmp->db_numag)
+ return -EINVAL;
+
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH v2] jfs: fix divide error in dbNextAG
2022-03-19 19:16 [PATCH] jfs: fix divide error in dbNextAG Pavel Skripkin
@ 2022-03-19 19:30 ` Pavel Skripkin
2022-03-22 15:25 ` Dave Kleikamp
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Skripkin @ 2022-03-19 19:30 UTC (permalink / raw)
To: shaggy
Cc: jfs-discussion, linux-kernel, Pavel Skripkin,
syzbot+46f5c25af73eb8330eb6
Syzbot reported divide error in dbNextAG(). The problem was in missing
validation check for malicious image.
Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
validation checks, but dbNextAG() blindly use bmp->db_numag in divide
expression
Fix it by validating bmp->db_numag in dbMount() and return an error if
image is malicious
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
Changes since v1:
- Add missing clean up in case of error
---
fs/jfs/jfs_dmap.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 91f4ec93dab1..d8502f4989d9 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -148,6 +148,7 @@ static const s8 budtab[256] = {
* 0 - success
* -ENOMEM - insufficient memory
* -EIO - i/o error
+ * -EINVAL - wrong bmap data
*/
int dbMount(struct inode *ipbmap)
{
@@ -179,6 +180,12 @@ int dbMount(struct inode *ipbmap)
bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+ if (!bmp->db_numag) {
+ release_metapage(mp);
+ kfree(bmp);
+ return -EINVAL;
+ }
+
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] jfs: fix divide error in dbNextAG
2022-03-19 19:30 ` [PATCH v2] " Pavel Skripkin
@ 2022-03-22 15:25 ` Dave Kleikamp
0 siblings, 0 replies; 3+ messages in thread
From: Dave Kleikamp @ 2022-03-22 15:25 UTC (permalink / raw)
To: Pavel Skripkin, shaggy
Cc: jfs-discussion, linux-kernel, syzbot+46f5c25af73eb8330eb6
Thanks. I'll push this for 5.18.
Shaggy
On 3/19/22 2:30PM, Pavel Skripkin wrote:
> Syzbot reported divide error in dbNextAG(). The problem was in missing
> validation check for malicious image.
>
> Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
> validation checks, but dbNextAG() blindly use bmp->db_numag in divide
> expression
>
> Fix it by validating bmp->db_numag in dbMount() and return an error if
> image is malicious
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
>
> Changes since v1:
> - Add missing clean up in case of error
>
> ---
> fs/jfs/jfs_dmap.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 91f4ec93dab1..d8502f4989d9 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -148,6 +148,7 @@ static const s8 budtab[256] = {
> * 0 - success
> * -ENOMEM - insufficient memory
> * -EIO - i/o error
> + * -EINVAL - wrong bmap data
> */
> int dbMount(struct inode *ipbmap)
> {
> @@ -179,6 +180,12 @@ int dbMount(struct inode *ipbmap)
> bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
> bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
> bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
> + if (!bmp->db_numag) {
> + release_metapage(mp);
> + kfree(bmp);
> + return -EINVAL;
> + }
> +
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-22 15:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-19 19:16 [PATCH] jfs: fix divide error in dbNextAG Pavel Skripkin
2022-03-19 19:30 ` [PATCH v2] " Pavel Skripkin
2022-03-22 15:25 ` Dave Kleikamp
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.