All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Juntong Deng <juntong.deng@outlook.com>,
	syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com,
	Dave Kleikamp <dave.kleikamp@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	shaggy@kernel.org, andrew.kanner@gmail.com,
	yogi.kernel@gmail.com, liushixin2@huawei.com, code@siddh.me,
	ghandatmanas@gmail.com, wonguk.lee1023@gmail.com,
	jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 6.5 10/34] fs/jfs: Add check for negative db_l2nbperpage
Date: Tue,  7 Nov 2023 10:47:50 -0500	[thread overview]
Message-ID: <20231107154846.3766119-10-sashal@kernel.org> (raw)
In-Reply-To: <20231107154846.3766119-1-sashal@kernel.org>

From: Juntong Deng <juntong.deng@outlook.com>

[ Upstream commit 525b861a008143048535011f3816d407940f4bfa ]

l2nbperpage is log2(number of blks per page), and the minimum legal
value should be 0, not negative.

In the case of l2nbperpage being negative, an error will occur
when subsequently used as shift exponent.

Syzbot reported this bug:

UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12
shift exponent -16777216 is negative

Reported-by: syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=debee9ab7ae2b34b0307
Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/jfs_dmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 88afd108c2dd2..3a1842348112d 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -180,7 +180,8 @@ int dbMount(struct inode *ipbmap)
 	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
 
 	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
-	if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
+	if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE ||
+		bmp->db_l2nbperpage < 0) {
 		err = -EINVAL;
 		goto err_release_metapage;
 	}
-- 
2.42.0


  parent reply	other threads:[~2023-11-07 15:52 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-07 15:47 [PATCH AUTOSEL 6.5 01/34] ASoC: mediatek: mt8188-mt6359: support dynamic pinctrl Sasha Levin
2023-11-07 15:47 ` Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 02/34] ASoC: soc-card: Add storage for PCI SSID Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 03/34] ASoC: SOF: Pass PCI SSID to machine driver Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 04/34] crypto: pcrypt - Fix hungtask for PADATA_RESET Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 05/34] ALSA: scarlett2: Move USB IDs out from device_info struct Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 06/34] ASoC: SOF: ipc4: handle EXCEPTION_CAUGHT notification from firmware Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 07/34] RDMA/hfi1: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 08/34] scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 09/34] scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool Sasha Levin
2023-11-07 15:47   ` Sasha Levin
2023-11-07 15:47 ` Sasha Levin [this message]
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 11/34] fs/jfs: Add validity check for db_maxag and db_agpref Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 12/34] jfs: fix array-index-out-of-bounds in dbFindLeaf Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 13/34] jfs: fix array-index-out-of-bounds in diAlloc Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 14/34] HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 15/34] ARM: 9320/1: fix stack depot IRQ stack filter Sasha Levin
2023-11-07 15:47   ` Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 16/34] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 17/34] gpiolib: of: Add quirk for mt2701-cs42448 ASoC sound Sasha Levin
2023-11-07 15:47   ` Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 18/34] PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields Sasha Levin
2023-11-07 15:47 ` [PATCH AUTOSEL 6.5 19/34] PCI: mvebu: Use FIELD_PREP() with Link Width Sasha Levin
2023-11-07 15:47   ` Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 20/34] atm: iphase: Do PCI error checks on own line Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 21/34] PCI: Do error check on own line to split long "if" conditions Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 22/34] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 23/34] PCI: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 24/34] PCI: Extract ATS disabling to a helper function Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 25/34] PCI: Disable ATS for specific Intel IPU E2000 devices Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 26/34] PCI: dwc: Add dw_pcie_link_set_max_link_width() Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 27/34] PCI: dwc: Add missing PCI_EXP_LNKCAP_MLW handling Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 28/34] misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 29/34] PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 30/34] ASoC: Intel: soc-acpi-cht: Add Lenovo Yoga Tab 3 Pro YT3-X90 quirk Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 31/34] crypto: hisilicon/qm - prevent soft lockup in receive loop Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 32/34] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 33/34] exfat: support handle zero-size directory Sasha Levin
2023-11-07 15:48 ` [PATCH AUTOSEL 6.5 34/34] mfd: intel-lpss: Add Intel Lunar Lake-M PCI IDs Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231107154846.3766119-10-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=andrew.kanner@gmail.com \
    --cc=code@siddh.me \
    --cc=dave.kleikamp@oracle.com \
    --cc=ghandatmanas@gmail.com \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=juntong.deng@outlook.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liushixin2@huawei.com \
    --cc=shaggy@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com \
    --cc=wonguk.lee1023@gmail.com \
    --cc=yogi.kernel@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.