Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2421875pxu;
        Fri, 18 Dec 2020 12:53:32 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw6GYQl4QJDZ9VBXD0I+RkpRA9hPOWEOaHmKO2T5z4y5UkC8NA3OWMHW232d7sHo1Kj/j29
X-Received: by 2002:aa7:d919:: with SMTP id a25mr6130226edr.81.1608324812178;
        Fri, 18 Dec 2020 12:53:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608324812; cv=none;
        d=google.com; s=arc-20160816;
        b=EBCruKkiOIbA5lMIaCXHFqRWe5iNkS77PMpRAALZG/xz2AqBSEojSs0/nVuFD4OhgH
         8KwuzWNDi7nEnlcarl3EVWIAFC5R8z5nzox7K3hPzu1XzWrXkO7Hcj/lJupUWVIYyGK/
         G+5FcAxqGZzvnakCF6Tfmi5fmCNCdupxkXRyVh7mgoUcF482iqgzUhDt6qGa+sF1+TLd
         yPmQK4BVuIM4kBQomaWJkpKQ1mSKCficRGQsaKhP4FiK33DCMZWLjds5IyImtmfZjld2
         TG0JUrDNoamqZZ5y1CsCl9LB+ZGpkgIt9AcbLQAUgfM0qNOrP+n+ov4hvSakaGTvEF/p
         /BPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=eJib/lfunlqDGDElxLTwFVNpeshIlXQoF4/zK8GXcVc=;
        b=vwsYu/HXurCZp5F+KYqx38SDRgD+EjU3R1Ni3pjPrOG5giydTwrmje3e7BRJUo1S0P
         jj4K1RgE2K4P6m7Y3fYeHhb7+w8cZbNKyNVw1RXSwSYCv/fHMskkKb5W3BX50880+qEa
         98TKNTemu6/DDP2F0IACKzFNqnP3zoyL7RzwApI7g9LQxDDBEZAAyv+MRLQuYsjv2/ZB
         ZMftam9qqvxosa57LYyB2dUrK0uH+KmmsYSg55+zLymcF7Ciozd40514Y+8GJhvq0zK0
         gQJm1rNvUI5owEzNwyeiWX0ZhSdgHNmWw5wNj1LjnI8k9YORtGtR0T8+skwvUDpiPHaJ
         we8g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=Er7F3MrM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n16si7127763edb.217.2020.12.18.12.53.10;
        Fri, 18 Dec 2020 12:53:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=Er7F3MrM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727778AbgLRUSF (ORCPT <rfc822;luzhigang001@gmail.com>
        + 99 others); Fri, 18 Dec 2020 15:18:05 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57116 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727489AbgLRUSF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Dec 2020 15:18:05 -0500
Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83598C0617A7
        for <linux-kernel@vger.kernel.org>; Fri, 18 Dec 2020 12:17:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:MIME-Version:
        Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
        Content-Description:In-Reply-To:References;
        bh=eJib/lfunlqDGDElxLTwFVNpeshIlXQoF4/zK8GXcVc=; b=Er7F3MrM0cu5xDqDahUPteSZM6
        Q1hdwH2kT6CVU+LDVoQZX2OSSIw2sVD+H8WHWm5DdMqcOwaLkZ8knVvtTAulPIbdnNDH5EVqG/Vyr
        I7dMooy+h/d6bRmdSrCtCYuDEEEavaAVa29oGQ5JO7x8+0hevGXVyYRq7C/3lsT3t3QhtTlLzyWk/
        rlpUD4YBDe4bL9Kn3mz07+HvjjVYrV0U23nXZN7JNMFEZwupGBgb4nklH+WM7Y6C87SL1t9Bw21my
        lb7wnyJlBU/fC5Zo15CeY/PFTuns31H+jyB6F+i7Y1ExAi0k9wX6kmZ90wX0NqZqI/NDih67MDqmU
        j3gqgomQ==;
Received: from [2601:1c0:6280:3f0::64ea] (helo=smtpauth.infradead.org)
        by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux))
        id 1kqMBl-0001X7-WB; Fri, 18 Dec 2020 20:17:22 +0000
From:   Randy Dunlap <rdunlap@infradead.org>
To:     linux-kernel@vger.kernel.org
Cc:     Randy Dunlap <rdunlap@infradead.org>,
        syzbot+36315852ece4132ec193@syzkaller.appspotmail.com,
        kernel test robot <lkp@intel.com>,
        Dave Kleikamp <shaggy@kernel.org>,
        jfs-discussion@lists.sourceforge.net
Subject: [PATCH v2] JFS: more checks for invalid superblock
Date:   Fri, 18 Dec 2020 12:17:16 -0800
Message-Id: <20201218201716.26613-1-rdunlap@infradead.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

syzbot is feeding invalid superblock data to JFS for mount testing.
JFS does not check several of the fields -- just assumes that they
are good since the JFS_MAGIC and version fields are good.

In this case (syzbot reproducer), we have s_l2bsize == 0xda0c,
pad == 0xf045, and s_state == 0x50, all of which are invalid IMO.
Having s_l2bsize == 0xda0c causes this UBSAN warning:
  UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25
  shift exponent -9716 is negative

s_l2bsize can be tested for correctness. pad can be tested for non-0
and punted. s_state can be tested for its valid values and punted.

Do those 3 tests and if any of them fails, report the superblock as
invalid/corrupt and let fsck handle it.

With this patch, chkSuper() says this when JFS_DEBUG is enabled:
  jfs_mount: Mount Failure: superblock is corrupt!
  Mount JFS Failure: -22
  jfs_mount failed w/return code = -22

The obvious problem with this method is that next week there could
be another syzbot test that uses different fields for invalid values,
this making this like a game of whack-a-mole.

syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193

Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com
Reported-by: kernel test robot <lkp@intel.com> # v2
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Dave Kleikamp <shaggy@kernel.org>
Cc: jfs-discussion@lists.sourceforge.net
---
v2: fix sparse __le32 warning (lkp robot)

 fs/jfs/jfs_filsys.h |    1 +
 fs/jfs/jfs_mount.c  |   10 ++++++++++
 2 files changed, 11 insertions(+)

--- lnx-510.orig/fs/jfs/jfs_mount.c
+++ lnx-510/fs/jfs/jfs_mount.c
@@ -37,6 +37,7 @@
 #include <linux/fs.h>
 #include <linux/buffer_head.h>
 #include <linux/blkdev.h>
+#include <linux/log2.h>
 
 #include "jfs_incore.h"
 #include "jfs_filsys.h"
@@ -366,6 +367,15 @@ static int chkSuper(struct super_block *
 	sbi->bsize = bsize;
 	sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize);
 
+	/* check some fields for possible corruption */
+	if (sbi->l2bsize != ilog2((u32)bsize) ||
+	    j_sb->pad != 0 ||
+	    le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) {
+		rc = -EINVAL;
+		jfs_err("jfs_mount: Mount Failure: superblock is corrupt!");
+		goto out;
+	}
+
 	/*
 	 * For now, ignore s_pbsize, l2bfactor.  All I/O going through buffer
 	 * cache.
--- lnx-510.orig/fs/jfs/jfs_filsys.h
+++ lnx-510/fs/jfs/jfs_filsys.h
@@ -268,5 +268,6 @@
 				 * fsck() must be run to repair
 				 */
 #define	FM_EXTENDFS 0x00000008	/* file system extendfs() in progress */
+#define	FM_STATE_MAX 0x0000000f	/* max value of s_state */
 
 #endif				/* _H_JFS_FILSYS */