Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1619414rwb; Wed, 28 Sep 2022 23:05:30 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4C5lirFUnA5SnhSO9EXNKmQWP2V82Q9dQPqejHj7Gl9rwEUPnRX45W6cOW4RR75yi8s8aH X-Received: by 2002:a17:906:4796:b0:787:7693:7942 with SMTP id cw22-20020a170906479600b0078776937942mr1312182ejc.752.1664431530359; Wed, 28 Sep 2022 23:05:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664431530; cv=none; d=google.com; s=arc-20160816; b=KX1C6O6zWT17ef7JNix1WFQcM155yHvWHTJg6nPwQ/L+b/lb/ypsbcp1EeOZyiIWKo iw5/acHPQi/eFNcjl984PPxlXlS8idG3My8bK7ZzrS54me2rrLs6sPqGz6lENgH6QbiB htKbXmmt4PlPhBGosNk4jh4qkhar/yRfRPVKKZLPgOa7C3V2eucuGRD60V2CupIrtNBp QQ+KT4NL1Hsi18tUQBshSnVNDOxCBzmcgkwo5bSY4W8kmk4PTfeKnrTALlJ/dsfjn8/t lO7/Hr+RkhCkzkDkTbCtcECp/gXBAdeM9zKlI8TKON/2BOx5o4H/hLJeMZbdajoyZi0m OdrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=a5EKDyyqzsxE8R+DxFQZiEX8zLKwRzjo9z2GoYGmLgw=; b=UYK72T6dr4GnWTYPBsJncC/J6N68YfWDthpwAbc8jkaRJMNMOoyWklsVLqU4q7ZAMD mBFxlpIRv2OIxv2OOyIDov2v1RwUhtfC4miR4YpYJpfluQkuSKV6j449i58ZcW7pAeL1 yxWMZoxWOfoqiAXKMA6HMXCbo06ryAWrN80svtkPq9ZCvkuHl21es7Du/ooTxi4Pjq7z sX117/sQjMALIPFfx0OMKKrAAMfXiLKXFOhznxP3BCFvbVM2TZld5tqiN0rVR37HONiU tzdM9NXzGfoShu4YvJVIax+iAmzSST1VpAF18vCKADXaS6xZjy75zkeFSegFU5Enf+rp m06g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h10-20020a1709063c0a00b0073d7de9711dsi5487034ejg.650.2022.09.28.23.05.04; Wed, 28 Sep 2022 23:05:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234788AbiI2Fru (ORCPT + 99 others); Thu, 29 Sep 2022 01:47:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233992AbiI2Frt (ORCPT ); Thu, 29 Sep 2022 01:47:49 -0400 Received: from hust.edu.cn (mail.hust.edu.cn [202.114.0.240]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FEB71288A7 for ; Wed, 28 Sep 2022 22:47:47 -0700 (PDT) Received: from localhost.localdomain ([172.16.0.254]) (user=dzm91@hust.edu.cn mech=LOGIN bits=0) by mx1.hust.edu.cn with ESMTP id 28T5kZ33024682-28T5kZ36024682 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Sep 2022 13:46:40 +0800 From: Dongliang Mu To: Dave Kleikamp Cc: Dongliang Mu , syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com, jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: [PATCH] fs: jfs: fix shift-out-of-bounds in dbAllocAG Date: Thu, 29 Sep 2022 13:44:59 +0800 Message-Id: <20220929054500.488604-1-dzm91@hust.edu.cn> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-FEAS-AUTH-USER: dzm91@hust.edu.cn X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dongliang Mu Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The underlying bug is the missing check of bmp->db_agl2size. The field can be greater than 32 and trigger the shift-out-of-bounds. Fix this bug by adding a check of bmp->db_agl2size in dbMount since this field is used in many following functions. Note that, for maintainance, I reorganzie the error handling code of dbMount. Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu --- fs/jfs/jfs_dmap.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 6b838d3ae7c2..4c717f245920 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap) struct bmap *bmp; struct dbmap_disk *dbmp_le; struct metapage *mp; - int i; + int i, err; /* * allocate/initialize the in-memory bmap descriptor @@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap) BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage, PSIZE, 0); if (mp == NULL) { - kfree(bmp); - return -EIO; + err = -EIO; + goto err_kfree_bmp; } /* copy the on-disk bmap descriptor to its in-memory version. */ @@ -181,9 +181,8 @@ int dbMount(struct inode *ipbmap) bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); if (!bmp->db_numag) { - release_metapage(mp); - kfree(bmp); - return -EINVAL; + err = -EINVAL; + goto err_release_metapage; } bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); @@ -194,6 +193,10 @@ int dbMount(struct inode *ipbmap) bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); + if (bmp->db_agl2size >= 32) { + err = -EINVAL; + goto err_release_metapage; + } for (i = 0; i < MAXAG; i++) bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); @@ -214,6 +217,12 @@ int dbMount(struct inode *ipbmap) BMAP_LOCK_INIT(bmp); return (0); + +err_release_metapage: + release_metapage(mp); +err_kfree_bmp: + kfree(bmp); + return err; } -- 2.35.1