Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp344572pxu; Thu, 7 Jan 2021 06:34:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJz8zm9TKvzkxZlJnYDFpFzL7aF+8By1Lp80qfRXEdi6QfOFkaJ5jekWzWSxkNbgoMANOd+H X-Received: by 2002:a17:906:4050:: with SMTP id y16mr6172670ejj.537.1610030094842; Thu, 07 Jan 2021 06:34:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610030094; cv=none; d=google.com; s=arc-20160816; b=p1ITHvfhmsqgJrRAxEHaxPdEPY+mgBVSXCa8ZXIBoZqeKuN5dcbmzTZlGZGjDAXdRw FwvfruZjTIMNm/qtxxgkLvOsOnMUSNk1VPT6yeoLEoCx/9Z0MO5pb4x3X+1Pzz2IGI/u XLMzIegRl2Lnd4jvCaN+rLGWgPHzkL75eJ9TZH6XCOYBmx3Zf39rFkcjIfHnAbhbKkNm VSRPmO+JHxtLQdK1GCPryJ81DB40mHERN7uRt/+sfYREpBx/K7OJAdfGFgM/AVLHS+9n 3FfstMNUr/fWO/sVUf5tqwtGQpQKyGBNtxL1SjB02LBfWryMaTHYKGgfaPI5L374kEps p3eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jLxnNlWbAHr0QXeA2VCJU1fPDNuqeUs+qarws2TXU5Q=; b=UCUVUYkkY0CCZXKIcQu4DuSbf+wAiI09l2OtUM32kPR1ua2XGbpCiHQnhKt+Q34yX8 75Y7e3MAI4s0kvgLz/Ivvx5p4VDINeeEIDvjHEB5Njs7EzgMulb4Jtj8+lwSVwAZZLOK imjhEOqGPUhy+r2gykuHWP+X+ebVu9xmzE/xubbWwRN5fooMmxEAgd5uBnuxHIFN0pB5 lzdCIm4DV++nnrzh21Ij/ccDNNjypstYMubdTg9Z+FAaS8/8wNc4A3+IkUEKJA9mZQ5h eotsrE8a2tWC/LgmLNLtcNdxpjRMzcOKo6YwNdDQWho6z/GCH5T3tYw5Gz0bSENrSltM ntgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YpBEEo8z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id be26si618584edb.68.2021.01.07.06.34.31; Thu, 07 Jan 2021 06:34:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YpBEEo8z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729026AbhAGObu (ORCPT + 99 others); Thu, 7 Jan 2021 09:31:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:45830 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728983AbhAGObr (ORCPT ); Thu, 7 Jan 2021 09:31:47 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id B679E23372; Thu, 7 Jan 2021 14:30:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610029845; bh=EjAqTvqR5xGB0ysuOSu9sqTv7/TUJ9YORzCYjtD5m8s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YpBEEo8z4grB6jmCg0u64nY0COrP69yW2/voDnTzBqua9mKng7GmsMmG4OEisPzdI pCRahOAZ8It9F5/Iw7c30HXK+6mLIDl77c9Kw3d72Yj77ZPprgJj20fhkP+9+98QQs fyTNirsgzB0NgILJbUAR284IFJnMzOrGMXEMCvHM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rustam Kovhaev , Jan Kara , syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com Subject: [PATCH 4.14 15/29] reiserfs: add check for an invalid ih_entry_count Date: Thu, 7 Jan 2021 15:31:30 +0100 Message-Id: <20210107143055.082684129@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210107143052.973437064@linuxfoundation.org> References: <20210107143052.973437064@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rustam Kovhaev commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream. when directory item has an invalid value set for ih_entry_count it might trigger use-after-free or out-of-bounds read in bin_search_in_dir_item() ih_entry_count * IH_SIZE for directory item should not be larger than ih_item_len Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7 Signed-off-by: Rustam Kovhaev Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/reiserfs/stree.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/reiserfs/stree.c +++ b/fs/reiserfs/stree.c @@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks "(second one): %h", ih); return 0; } + if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { + reiserfs_warning(NULL, "reiserfs-5093", + "item entry count seems wrong %h", + ih); + return 0; + } prev_location = ih_location(ih); }