From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B853C4332F for ; Tue, 7 Nov 2023 15:56:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344031AbjKGP4z (ORCPT ); Tue, 7 Nov 2023 10:56:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52786 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344257AbjKGP4b (ORCPT ); Tue, 7 Nov 2023 10:56:31 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB6F75253; Tue, 7 Nov 2023 07:50:52 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED863C433C8; Tue, 7 Nov 2023 15:50:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699372252; bh=wGpR/iqOxT5RoXHY3SjJnVIZtTWQ/1aJYOpj9w3/i6U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GT4QrRtUuKubz8FugSF3satvmbMMcJ9L4vwBJDf5WmzVCe89sZHZ+Mw2fVqYnYyke +8H70M8U9NY2qZfR7bjH9Y/NjszhtohvA6nMxuW/5+oYDBpK2SkqrKHDixHPdCKtC6 FSqCoGPkxtOduuilRBk7rW+CqxoRHMvDLbm3tNJErAuQX9FJMhevZQ6LXMLvYlkIiC Bnlkuk87EkJe1/2EWZm2i8dv0wKS7FLOX81yyGqMzChrL04Q0X9iiXJpSFSn67Eo6O EL6W8ffmRxt8GhjOteXRhGO84WwjkMEBndvfo5XcCM1+dYXykUmP80a7+s0axmcozE 9ZOiRSFCX841Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Manas Ghandat , syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com, Dave Kleikamp , Sasha Levin , shaggy@kernel.org, juntong.deng@outlook.com, andrew.kanner@gmail.com, liushixin2@huawei.com, code@siddh.me, yogi.kernel@gmail.com, jfs-discussion@lists.sourceforge.net, wonguk.lee1023@gmail.com Subject: [PATCH AUTOSEL 6.1 11/30] jfs: fix array-index-out-of-bounds in dbFindLeaf Date: Tue, 7 Nov 2023 10:49:45 -0500 Message-ID: <20231107155024.3766950-11-sashal@kernel.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231107155024.3766950-1-sashal@kernel.org> References: <20231107155024.3766950-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.1.61 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Manas Ghandat [ Upstream commit 22cad8bc1d36547cdae0eef316c47d917ce3147c ] Currently while searching for dmtree_t for sufficient free blocks there is an array out of bounds while getting element in tp->dm_stree. To add the required check for out of bound we first need to determine the type of dmtree. Thus added an extra parameter to dbFindLeaf so that the type of tree can be determined and the required check can be applied. Reported-by: syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04 Signed-off-by: Manas Ghandat Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin --- fs/jfs/jfs_dmap.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index e2927d1f3d1d3..4d56f6081a5d2 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -87,7 +87,7 @@ static int dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, static int dbExtend(struct inode *ip, s64 blkno, s64 nblocks, s64 addnblocks); static int dbFindBits(u32 word, int l2nb); static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno); -static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx); +static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl); static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, int nblocks); static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno, @@ -1717,7 +1717,7 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno) * dbFindLeaf() returns the index of the leaf at which * free space was found. */ - rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx); + rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx, true); /* release the buffer. */ @@ -1964,7 +1964,7 @@ dbAllocDmapLev(struct bmap * bmp, * free space. if sufficient free space is found, dbFindLeaf() * returns the index of the leaf at which free space was found. */ - if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + if (dbFindLeaf((dmtree_t *) &dp->tree, l2nb, &leafidx, false)) return -ENOSPC; if (leafidx < 0) @@ -2928,14 +2928,18 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval) * leafidx - return pointer to be set to the index of the leaf * describing at least l2nb free blocks if sufficient * free blocks are found. + * is_ctl - determines if the tree is of type ctl * * RETURN VALUES: * 0 - success * -ENOSPC - insufficient free blocks. */ -static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx) +static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) { int ti, n = 0, k, x = 0; + int max_size; + + max_size = is_ctl ? CTLTREESIZE : TREESIZE; /* first check the root of the tree to see if there is * sufficient free space. @@ -2956,6 +2960,8 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx) /* sufficient free space found. move to the next * level (or quit if this is the last level). */ + if (x + n > max_size) + return -ENOSPC; if (l2nb <= tp->dmt_stree[x + n]) break; } -- 2.42.0