From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hoi Pok Wu <wuhoipok@gmail.com>,
Dave Kleikamp <dave.kleikamp@oracle.com>,
Sasha Levin <sashal@kernel.org>,
shaggy@kernel.org, mudongliangabcd@gmail.com,
paskripkin@gmail.com, r33s3n6@gmail.com,
jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.14 3/8] fs: jfs: fix shift-out-of-bounds in dbDiscardAG
Date: Sat, 17 Dec 2022 10:30:26 -0500 [thread overview]
Message-ID: <20221217153033.99394-3-sashal@kernel.org> (raw)
In-Reply-To: <20221217153033.99394-1-sashal@kernel.org>
From: Hoi Pok Wu <wuhoipok@gmail.com>
[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ]
This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.
Signed-off-by: Hoi Pok Wu <wuhoipok@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a46fa0f3db57..0ca1ad2610df 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -211,6 +211,11 @@ int dbMount(struct inode *ipbmap)
goto err_release_metapage;
}
+ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
for (i = 0; i < MAXAG; i++)
bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
--
2.35.1
next prev parent reply other threads:[~2022-12-17 15:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-17 15:30 [PATCH AUTOSEL 4.14 1/8] fs: jfs: fix shift-out-of-bounds in dbAllocAG Sasha Levin
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 2/8] udf: Avoid double brelse() in udf_rename() Sasha Levin
2022-12-17 15:30 ` Sasha Levin [this message]
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 4/8] ACPICA: Fix error code path in acpi_ds_call_control_method() Sasha Levin
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 5/8] proc/vmcore: fix potential memory leak in vmcore_init() Sasha Levin
2022-12-17 15:30 ` Sasha Levin
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 6/8] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Sasha Levin
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 7/8] acct: fix potential integer overflow in encode_comp_t() Sasha Levin
2022-12-17 15:30 ` [PATCH AUTOSEL 4.14 8/8] hfs: fix OOB Read in __hfs_brec_find Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221217153033.99394-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dave.kleikamp@oracle.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mudongliangabcd@gmail.com \
--cc=paskripkin@gmail.com \
--cc=r33s3n6@gmail.com \
--cc=shaggy@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wuhoipok@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.