From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Juntong Deng <juntong.deng@outlook.com>,
syzbot+38e876a8aa44b7115c76@syzkaller.appspotmail.com,
Dave Kleikamp <dave.kleikamp@oracle.com>,
Sasha Levin <sashal@kernel.org>,
shaggy@kernel.org, wonguk.lee1023@gmail.com,
liushixin2@huawei.com, andrew.kanner@gmail.com,
yogi.kernel@gmail.com, code@siddh.me, ghandatmanas@gmail.com,
jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.14 4/9] fs/jfs: Add validity check for db_maxag and db_agpref
Date: Tue, 7 Nov 2023 10:54:54 -0500 [thread overview]
Message-ID: <20231107155509.3769038-4-sashal@kernel.org> (raw)
In-Reply-To: <20231107155509.3769038-1-sashal@kernel.org>
From: Juntong Deng <juntong.deng@outlook.com>
[ Upstream commit 64933ab7b04881c6c18b21ff206c12278341c72e ]
Both db_maxag and db_agpref are used as the index of the
db_agfree array, but there is currently no validity check for
db_maxag and db_agpref, which can lead to errors.
The following is related bug reported by Syzbot:
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20
index 7936 is out of range for type 'atomic_t[128]'
Add checking that the values of db_maxag and db_agpref are valid
indexes for the db_agfree array.
Reported-by: syzbot+38e876a8aa44b7115c76@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=38e876a8aa44b7115c76
Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 070638718be32..713f11dee52aa 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -208,6 +208,12 @@ int dbMount(struct inode *ipbmap)
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
+ if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 ||
+ bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
--
2.42.0
next prev parent reply other threads:[~2023-11-07 16:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 15:54 [PATCH AUTOSEL 4.14 1/9] crypto: pcrypt - Fix hungtask for PADATA_RESET Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 2/9] RDMA/hfi1: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 3/9] fs/jfs: Add check for negative db_l2nbperpage Sasha Levin
2023-11-07 15:54 ` Sasha Levin [this message]
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 5/9] jfs: fix array-index-out-of-bounds in dbFindLeaf Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 6/9] jfs: fix array-index-out-of-bounds in diAlloc Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 7/9] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 8/9] atm: iphase: Do PCI error checks on own line Sasha Levin
2023-11-07 15:54 ` [PATCH AUTOSEL 4.14 9/9] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107155509.3769038-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrew.kanner@gmail.com \
--cc=code@siddh.me \
--cc=dave.kleikamp@oracle.com \
--cc=ghandatmanas@gmail.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=juntong.deng@outlook.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liushixin2@huawei.com \
--cc=shaggy@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+38e876a8aa44b7115c76@syzkaller.appspotmail.com \
--cc=wonguk.lee1023@gmail.com \
--cc=yogi.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.