Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp10997rwb; Tue, 15 Nov 2022 18:10:51 -0800 (PST) X-Google-Smtp-Source: AA0mqf4jJdL+ZPqoGhm0guFr4Douj++fLjMz1aABtyIAXJ2d7dGHXfWGqQcQNB7wFg1VXhh1y57R X-Received: by 2002:a17:902:cecb:b0:186:9cce:c4d with SMTP id d11-20020a170902cecb00b001869cce0c4dmr6848255plg.103.1668564650831; Tue, 15 Nov 2022 18:10:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668564650; cv=none; d=google.com; s=arc-20160816; b=qAB+mCJ+wsLkHNAMXiWC2V9htNykBhRgd/kwprk9M4LCO9bFVqShoOTvyNjjVnaITN MnHTLwii3Ocl9K/7zquwAYJLGDpBP4NcsX+p2ckV2qECOUoLNs22fbe2OG3QW11URl2D 6sAuRgQBLUEOjpAoEcwagmM4TrwsotBnwf9XiHOqcwZx+YUqDRfl3VtVnlfcZ5rlhNkS u8QtRZcldWlB/cGCdfeWI8MiWlNm4Xrwv3wjO2eytpVtyJ+HzRNtrjh8he2xwAcGBog7 AzQdmeNCxrnC7vtVxs+Wpy4A8lphtQNmb8evfC/s4YaDs9spAqFYYfaPhz4e54V1VONB 7k1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=CHEs41920Zj2f7OGB0BW6zlWERMZtfqHtG8zMYlovvg=; b=whgKpHOmaUWB9tyHafa30KC/Jj+K3MTf/tPkRCdorl1B94Q33SuKUtvt/8ehrtGqa7 p4YO78imEfSDKki6lBA8Jk95ao2No6VowXbcl+xLyYsYxt3kJgPkMz1nmNRS6d10xsIa s8snCPtLwo5BA+5Di226iWQzJEBcrYCN7rZjKrnhk+z4Wb1KyLmMCGeAyf35Sy5NWG9e ikhjQQ5fqGqs74xG+NgRPmr1Z4mEOXcpEV2LCSR9aGGi/40bbjchvkWY8+OSxU8LU7Jw ABCUTBhwxHrmCuOPfJ6OIz8JzpeoLbZM1P+4GUf/ZgzyH2Rw4qlVvmkhDXmdIwFg/gP2 URBg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d1-20020a170902cec100b00186698255a3si15833957plg.607.2022.11.15.18.10.38; Tue, 15 Nov 2022 18:10:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230184AbiKPBjN (ORCPT + 90 others); Tue, 15 Nov 2022 20:39:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229701AbiKPBjL (ORCPT ); Tue, 15 Nov 2022 20:39:11 -0500 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01BB11EEEA for ; Tue, 15 Nov 2022 17:39:09 -0800 (PST) Received: from kwepemi500012.china.huawei.com (unknown [172.30.72.57]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4NBm0k1fvlz15Mgd; Wed, 16 Nov 2022 09:38:46 +0800 (CST) Received: from huawei.com (10.67.174.53) by kwepemi500012.china.huawei.com (7.221.188.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 16 Nov 2022 09:39:07 +0800 From: Liao Chang To: CC: , , Subject: [PATCH] jfs: Fix shift-out-of-bounds in jfs_statfs Date: Wed, 16 Nov 2022 09:36:00 +0800 Message-ID: <20221116013600.77906-1-liaochang1@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.174.53] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To kwepemi500012.china.huawei.com (7.221.188.12) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzkaller report issue as follows: UBSAN: shift-out-of-bounds in fs/jfs/super.c:140:14 shift exponent -236023038 is negative CPU: 0 PID: 3985 Comm: syz-executor.4 Not tainted 6.1.0-rc2-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 10/11/2022 Call Trace: __dump_stack lib/dump_stack.c:88 dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322 jfs_statfs+0x503/0x510 fs/jfs/super.c:140 statfs_by_dentry fs/statfs.c:66 vfs_statfs+0x136/0x310 fs/statfs.c:90 user_statfs fs/statfs.c:105 __ubsan_handle_shift_out_of_bounds __do_sys_statfs fs/statfs.c:195 __se_sys_statfs fs/statfs.c:192 __x64_sys_statfs+0x120/0x230 fs/statfs.c:192 do_syscall_x64 arch/x86/entry/common.c:50 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The on-disk inode map control structure contains a number indicates the log2 number of blocks per inode extent, which will be used as the shift to calculate the number of free blocks in jfs_statfs, so it needs to ensure the on-disk log2 number is positive and less than 64 on JFS mount. Reported-by: syzbot+3424c9550a49659f1704@syzkaller.appspotmail.com Signed-off-by: Liao Chang --- fs/jfs/jfs_imap.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 799d3837e7c2..1ff632c55acf 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -124,6 +124,12 @@ int diMount(struct inode *ipimap) atomic_set(&imap->im_numfree, le32_to_cpu(dinom_le->in_numfree)); imap->im_nbperiext = le32_to_cpu(dinom_le->in_nbperiext); imap->im_l2nbperiext = le32_to_cpu(dinom_le->in_l2nbperiext); + if (imap->im_l2nbperiext < 0 || + imap->im_l2nbperiext >= sizeof(s64) * 8) { + kfree(imap); + return -EINVAL; + } + for (index = 0; index < MAXAG; index++) { imap->im_agctl[index].inofree = le32_to_cpu(dinom_le->in_agctl[index].inofree); -- 2.17.1