Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <6284256f-dacc-e287-fe07-377491f87ca3@oracle.com>
Date:   Fri, 16 Jun 2023 17:16:09 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
Subject: Re: [PATCH] jfs: jfs_dmap: Validate db_l2nbperpage while mounting
Content-Language: en-US
To:     Siddh Raman Pant <code@siddh.me>,
        Dongliang Mu <mudongliangabcd@gmail.com>,
        Liu Shixin <liushixin2@huawei.com>,
        Hoi Pok Wu <wuhoipok@gmail.com>
Cc:     jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        Anup Sharma <anupnewsmail@gmail.com>,
        syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com,
        stable@vger.kernel.org
References: <20230605140151.635604-1-code@siddh.me>
From:   Dave Kleikamp <dave.kleikamp@oracle.com>
In-Reply-To: <20230605140151.635604-1-code@siddh.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?aHh3ZXkzSVVBVFdUV0FSdC95allVSXFib3JmV1Y3TVRySUVXSi9vVFA2TVB3?=
 =?utf-8?B?L3JkcTBzVDlvOHVJOHhYV3NhUnRDUENqSDNibC9OZFZOeEpOa1JMT2xLcldX?=
 =?utf-8?B?eGRKTnlVVVptSjFXSjhBRzRiNzE5NVIrR2Z0OHZ3MkxocUVCV1NJemJQOHdS?=
 =?utf-8?B?bHFnY3RmcEwvR2J5dDh5VE1OSmJhN29NQlJFTHRYdWVpYTU0NW5Jd1JDTG9I?=
 =?utf-8?B?b1UybVZjTVRRSncxcXh6bUp3RkZHaW1kdVRtRHA1TFBRbHZNV2tXK1NJbHBB?=
 =?utf-8?B?YXdVMU80N2xkaGVrMW9zdjkrUjBWNEk5NGN0VjNleVVnNHczR29YdFViNXhM?=
 =?utf-8?B?WVlzTmpTZmsvY21DV1M1K1BGUkpaY0trR2M2TjlqWGxXeWlveDk4UVpjNC9t?=
 =?utf-8?B?UzhXR3E1NWRjRGprakd1VnZ2cm05ek8ybDgxVTVSNGU5WUZaOGlURkFRcjdn?=
 =?utf-8?B?eHRHZnMvVlFEeDJUZER6cWtROFR6WTRIVW11UDM3WnZ1Z3ZHQnRoSWRERWZr?=
 =?utf-8?B?Z3JpWUEyL3hzZmU2Q2YvQ2w1Z1h5dU44WWlDcEplSUF1d0xjZDdVNU9aUVdU?=
 =?utf-8?B?WW1qaDB6QXY2V3g5S3N3L2RadHJFaGtQVzFSek9UWFFoZ1YwSGpoQWdkVVBP?=
 =?utf-8?B?VHcrRVdzNGJ5K0Zib2c5VE9MdERQUkdHNFhtTERlM0xkbHg0bHE5RVVUa3R3?=
 =?utf-8?B?M1R6MkdvOG5hNFFLbzNlS2hzS29seXN0QloxN25tT05UUktyWngrUk8xYk1P?=
 =?utf-8?B?Y3hvUXBnNHRFTkNQNjZ5bWVPbzN3Wm5qaVdlTEcrYjhpUWlWa09hVDVxclVN?=
 =?utf-8?B?MDl0VStjRnBHczhTaTIrMTJtOFpUVjZzYzd4VWxnZWtlN2N6YkZiUFIyTmgr?=
 =?utf-8?B?YWZFTnJwMzRrcnlZanpnNjhKM1dUejBJWjZiTGZUTFozU2R4L1F3QStaT3dG?=
 =?utf-8?B?ZWlzc3MrR3dWN0lnYUVGTmU3NjZLaXhwT0VSS1lkbys3dzkxc1dEM0NDeDFi?=
 =?utf-8?B?U2JLTXk5aURpUEU3OG1CSzJxQzV1TFlacWNtMHRpTDNtZ3hSdSs4S09UMlVV?=
 =?utf-8?B?VXZvMW95WCtvQWplaGVoNFdCWkROYWZQYnRKWlVPd01WZHU0bzJDaDd2Wk1k?=
 =?utf-8?B?c05JSVJQM0g3TnpzR1lTMXQ3UTlmWWs1SXFzVE1qODZrNkRmR1Y1b0Q2MFl4?=
 =?utf-8?B?TzBvbjZKM3hob2NnanZ3elJVZHowSEpLcGZoWWU0U1ZPeS9EYVpLSUNmNEVq?=
 =?utf-8?B?MGJCZDhBL3BTN0FzSkJybnM2L2pPSi9BbEk5Zlo0eWpwcUtqeGlLdmZqLzRR?=
 =?utf-8?B?VEMzVW0zTzJHcldLUVFuWGpHNVZ0Uk53MFpwd0p5ZUFFOHJuOW4vMUpiYWFa?=
 =?utf-8?B?a29mSHZlK1VGSDBlenNlU2ZhYU4rOGNIY1hnRVJIUU50Q3pjRi9jTWVFa2xt?=
 =?utf-8?B?dUdseVEzeHB4ZjFsRHZmTmNDbWVsTTEzZTBKTWpWSWVmb3I1ZGQzVXFxcHRU?=
 =?utf-8?B?bm9JYmRwaVdIMFFEWWhObjMvdkQ2K1ZsYnVIdm1LUDNiVHJsVGRkRVBxUEtp?=
 =?utf-8?B?YmlUMmozdnNtRjRlL0VqTW01SXg3R0J5MXJlUzhsVTlDWXYwSzBMK1g5Zmsw?=
 =?utf-8?B?MnJSekVpem5YdnRBOEtvb09NNjFmWW9KUERNTER0Qlg1YSs4MjdDNHF6bzlx?=
 =?utf-8?B?czlPWU5JYzZJc09oN2RiRWlKV09MNDl0Y1RSUjR4Y040NEJZK0xHNVFsVmJh?=
 =?utf-8?B?SG9HalZ2MysyQkQvSWdxSSthMFVJaEpBVytQSlYyWWF3dVRrVHNWVTRnMFZS?=
 =?utf-8?B?SisyRWpnUWdwS0pwcmRRZmhQRTZBMWora05ibVFpbEpWTDk0Ty85M2dyY3hT?=
 =?utf-8?B?aDd5UHRQemFMckFKRG5kd05DZUJ4NmVhdlI3QnJwOGpaZTQvdlB2akUyY1c0?=
 =?utf-8?B?clF4WDFuRlIveDRzNFdwVnNMcFFibnRqK0FLQnRPQ21SaTdTcHEyVEJ4WmRB?=
 =?utf-8?B?K2FSZldkak9DZEYzZ1VZNDFIMnRRYU9sRGFLbFFmT1k4SnY0eXZZYW92dWgx?=
 =?utf-8?B?SnlUOEwzcWh2d3ZkK0I0M0FuVWh6RjIyWkM4QjdFTGxyeXUvRnhlWC9FSi9t?=
 =?utf-8?B?c2RsaGxkZXh1aGZweGhIYUp5VjVEMjlJR2FrTlZ1TzN0OE1NWmM5Z0R2NG9h?=
 =?utf-8?B?Vmc9PQ==?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?utf-8?B?aDN5VzdJd1FIWE9uaUk3S3FjWjlYSHV6ZmV5d3U0TUJjOGROemVZU2U2aWNO?=
 =?utf-8?B?V0QvOHJsV292R2RWcVhJM0phdXB1VHRWaUNLMVZla0hIeitDYkU3eXZFcTFG?=
 =?utf-8?B?bHV2bW1kT0pYd1c1WVdqWEE0dHNjcm10QzhtTUhXOTJkU2JBQ1J3TTUrOXZ0?=
 =?utf-8?B?SG5RTm1ORW02YS9VRkprOUxZU0x2K0sweUtSdEEybVNESGtIOFRjTFJTUzdq?=
 =?utf-8?B?WU13WVBtUUpEOHJJQjZtOElqTS9MWUpFdDFJOGhaWnFCWWIwajhmbDR3TE1l?=
 =?utf-8?B?cEhONkgwaGh5eGNaY2haVHVZVjVvNmJVZkJ5U3ZCdDY4QjZhaTNPdGhHcmc3?=
 =?utf-8?B?QUdramxlVUcxSTU4N1M5bFZaTlVBMGgveVJCanVKTUdIZEFlb1VRakoxc0Fa?=
 =?utf-8?B?ZlVLWEFldkFIZGgrOUdLeXB1OG96WStEYmRaUVFkUjdsTmFZVTdNVjlaQUJ0?=
 =?utf-8?B?ZW40S3Q4UkhRcnNRazNjeFo4WE5uNlMwM0VGTEZRMW92eVZCZ3hOVTJGdXZo?=
 =?utf-8?B?TG9ldnhVUnBPTzROSWtJaTdoYlV5UWpWSzRQRG13cFNva0x6ME82M1NMOHNk?=
 =?utf-8?B?ekZmdWRuQndjY3pHUnVGWmx2cXFHNS83TmFzN2R5SExpM0ZsUnNDOHMvMHhj?=
 =?utf-8?B?RUF5RW82b0RER1FqbXlDaEhzTSs3ZVcvT28vT0p6N3E2OVNxUTRTWnJkb0RZ?=
 =?utf-8?B?Nmg3WVJNNTRIR0pzWkVLWnNEblA5eEtlZ2Z2Y1pNOU1NTzRIVmNmRXNKanl4?=
 =?utf-8?B?SjBYNjJrOHoyRzNpbkRGbjJSU0RhbDlMOHFsdXR0TFIraHBsOGpIUURGZXUv?=
 =?utf-8?B?bFE0SU40UGFmcm1CQVJweWlJSjFzSnp1bHNjL3lRTWI0aFFIUjNqdHA0WjJm?=
 =?utf-8?B?MjZjUVE4ZmJoaVp6bExtOXQ3T0hIa1V1WXZhQnJXYzFaS2FPQmthMXlCdDdh?=
 =?utf-8?B?ZjJyY3RYSXdKK0NJNDVmTDh6amV4dVd2NXhVdys1SlJ0b0tzTmN3eUpDSVAr?=
 =?utf-8?B?d3Vvb1JBZVd2K0JrdVQ1VXRYYnh6YU1JL2RqWStWTDRjL1hZdk01SlFpbWRu?=
 =?utf-8?B?Ti9jNXZOVHh5QjZQOWwzcFBtcUlmMlV0T3Y1d09CMy8rSFBKVmJRdDdVVGxt?=
 =?utf-8?B?WUdGelo4aFJORWxWS3NwcllBWmR6aGZlSDBmVWdNQXN1QzdweUZZNm01SjFE?=
 =?utf-8?B?MHNNcTBHSDNnY2UvcU1zOFRaOVc0VDFFT2pzNEFmMU9jaTlzcTRxQStlRk1G?=
 =?utf-8?B?OGdSUlNUTG9WczQ3U3UvUW54NW1OYlFKVGpDMVk5RVlyTWtLQT09?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9653caac-14d8-4a6a-afc5-08db6eb74b53
X-MS-Exchange-CrossTenant-AuthSource: MW5PR10MB5738.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2023 22:16:12.9634
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: yi4i+kjO/S3Ee3omobRY+vbu15CD/5gubHSTpEJ4hX/nNrek/CXKG0pPmlUslJFZy8L+fnO8FL+fXY0/ZGiOoouDnrZqCsfdLKPWKtGxCII=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR10MB7652
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26
 definitions=2023-06-16_14,2023-06-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0
 suspectscore=0 mlxlogscore=944 mlxscore=0 phishscore=0 spamscore=0
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2305260000 definitions=main-2306160202
X-Proofpoint-ORIG-GUID: t46Huv8pjs1cWPyqeeSewCWbFf56aB2a
X-Proofpoint-GUID: t46Huv8pjs1cWPyqeeSewCWbFf56aB2a
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 6/5/23 9:01AM, Siddh Raman Pant wrote:
> In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
> number inside dbFree(). db_l2nbperpage, which is the log2 number of
> blocks per page, is passed as an argument to BLKTODMAP which uses it
> for shifting.
> 
> Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
> too big. This happens because the large value is set without any
> validation in dbMount() at line 181.
> 
> Thus, make sure that db_l2nbperpage is correct while mounting.
> 
> Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
> Cc: stable@vger.kernel.org
> Signed-off-by: Siddh Raman Pant <code@siddh.me>
> ---
>   fs/jfs/jfs_dmap.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..62f058822a3a 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap)
>   	dbmp_le = (struct dbmap_disk *) mp->data;
>   	bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
>   	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
> +
>   	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
> +	if (bmp->db_l2nbperpage > L2MAXL0SIZE) {

Actually the sanity check should be much smaller. The maximum value 
should be L2PSIZE - log2(MINBLOCKSIZE). In reality, I think it's always 
zero.

Shaggy

> +		err = -EINVAL;
> +		goto err_release_metapage;
> +	}
> +
>   	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
>   	if (!bmp->db_numag) {
>   		err = -EINVAL;