Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3771617pxv; Mon, 19 Jul 2021 08:22:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMaPHDcRjSFbmPtPXwXaP5VdQp1An/n05QChGjjFFv7lI1v9854ootcC6AQcNjiWUrfaeT X-Received: by 2002:a92:260f:: with SMTP id n15mr17270899ile.143.1626708169053; Mon, 19 Jul 2021 08:22:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626708169; cv=none; d=google.com; s=arc-20160816; b=sU8fpgVE6/jbZ+K+TASWhtMKDQs+SCVTs3tJbftxm+dsKNZW0WPcJDOPOuU8jI9kQz z1xxXY+wZ6Cz8ktV/R7zM5Xj9CZiFwX6GD4S48/E40IMubOknVhpckjoe3MsMQnDAS4z fWnFoJvQLDGaZ92rknY7kLV1U/WLJmcWIJRLk4ZNxpce4ATBzgOsy162l8Zm5mu+vWAE TDdZrHq1elDMK906Si/f0kfRuyzzXIglIkvL4qsV7waZ45azV2EhJe/Cy3mVj4tryAOp rmD2YOKp+A2/3sL/jwBdygfQSc/B5wY59m+D4Jd1cCt/v90YsqAbxWAiVhTVVdC4Ogx3 ijcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5Vx0c1XmUjQCXC8TZVvci3dhauDY2k3DnEQlNgM17Tc=; b=Glps/er/OXg7jc77ykM2kx+Jxs9dc+BM1RtsC8Zaz3NW2SvAm6NmsUZehKQ0U2JW/c ux3VHdzPW9ysfFrkvlRP9YJNOmixzFfZKW2zw4xU/O7jrm6hT16gxR+oBLC7xJIdBcXg 4BA2lVmmQYUS17LVnWBwDN4i+N3cE70qqU/f+ragXBTN1L2t2f7/QE3HzetFSjfC0Tx5 DBiL70Qha2Wl8WeANv+4plCakmrV2BHGkL9L3Y70gLV6YZkkZeFfwR/gm5QerP8WbbNv SLBA9YaTT9LyR6ACX3jPMx8mG3Rrwx/1hlhGh5Vra5wzxJy/zEbOSsUiGEIica8KqR3W yHTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FP16ef8K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f7si20643883jat.42.2021.07.19.08.22.37; Mon, 19 Jul 2021 08:22:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FP16ef8K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242751AbhGSOjE (ORCPT + 99 others); Mon, 19 Jul 2021 10:39:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:39858 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244383AbhGSO3i (ORCPT ); Mon, 19 Jul 2021 10:29:38 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 323D1613C0; Mon, 19 Jul 2021 15:09:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626707362; bh=PZXYuut4wmd+WgVsl4d2dnci3renyfwjVzoF4ECIl1U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FP16ef8KX8VJZSn5cJ10lx4E4Vi+jiiZyv4xTN7lmcGntNMr1Ghu3D2lFANdYgZMj zmCt0Ys/TIwGr+rvHNVi39lcbOpDwqzDp6PeM79vbOvj7d1R2FNqLb16BXYUlWPkYC i/SYthSEMjkEiaH+SAKJ11I8aZLV5U7K/uk9Uuho= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com, Pavel Skripkin , Jan Kara , Sasha Levin Subject: [PATCH 4.9 130/245] reiserfs: add check for invalid 1st journal block Date: Mon, 19 Jul 2021 16:51:12 +0200 Message-Id: <20210719144944.606726628@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144940.288257948@linuxfoundation.org> References: <20210719144940.288257948@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ] syzbot reported divide error in reiserfs. The problem was in incorrect journal 1st block. Syzbot's reproducer manualy generated wrong superblock with incorrect 1st block. In journal_init() wasn't any checks about this particular case. For example, if 1st journal block is before superblock 1st block, it can cause zeroing important superblock members in do_journal_end(). Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Jan Kara Signed-off-by: Sasha Levin --- fs/reiserfs/journal.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c index 2a5c4813c47d..94871f611fa8 100644 --- a/fs/reiserfs/journal.c +++ b/fs/reiserfs/journal.c @@ -2766,6 +2766,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name, goto free_and_return; } + /* + * Sanity check to see if journal first block is correct. + * If journal first block is invalid it can cause + * zeroing important superblock members. + */ + if (!SB_ONDISK_JOURNAL_DEVICE(sb) && + SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) { + reiserfs_warning(sb, "journal-1393", + "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d", + SB_JOURNAL_1st_RESERVED_BLOCK(sb), + SB_ONDISK_JOURNAL_1st_BLOCK(sb)); + goto free_and_return; + } + if (journal_init_dev(sb, journal, j_dev_name) != 0) { reiserfs_warning(sb, "sh-462", "unable to initialize journal device"); -- 2.30.2