Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Siddh Raman Pant <code@siddh.me>
To:     Dave Kleikamp <dave.kleikamp@oracle.com>,
        Hoi Pok Wu <wuhoipok@gmail.com>,
        Liu Shixin <liushixin2@huawei.com>,
        Dongliang Mu <mudongliangabcd@gmail.com>
Cc:     jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com,
        stable@vger.kernel.org
Message-ID: <20230619131644.118332-1-code@siddh.me>
Subject: [PATCH v2] jfs: jfs_dmap: Validate db_l2nbperpage while mounting
Date:   Mon, 19 Jun 2023 18:46:44 +0530
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf8
Precedence: bulk

In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
number inside dbFree(). db_l2nbperpage, which is the log2 number of
blocks per page, is passed as an argument to BLKTODMAP which uses it
for shifting.

Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
too big. This happens because the large value is set without any
validation in dbMount() at line 181.

Thus, make sure that db_l2nbperpage is correct while mounting.

Max number of pages =3D Page size / Min block size
=3D> log2(Max number of pages) =3D log2(Page size / Min block size)
=09=09=09     =3D log2(Page size) - log2(Min block size)

=3D> Max db_l2nbperpage =3D L2PSIZE - L2MINBLOCKSIZE

Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.c=
om
Closes: https://syzkaller.appspot.com/bug?id=3D2a70a453331db32ed491f5cbb07e=
81bf2d225715
Cc: stable@vger.kernel.org
Suggested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Siddh Raman Pant <code@siddh.me>
---
Changes in v2:
- Fix upper bound as pointed out in v1 by Shaggy.
- Add an explanation for the same in commit message for completeness.

 fs/jfs/jfs_dmap.c   | 6 ++++++
 fs/jfs/jfs_filsys.h | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a3eb1e826947..da6a2bc6bf02 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap)
 =09dbmp_le =3D (struct dbmap_disk *) mp->data;
 =09bmp->db_mapsize =3D le64_to_cpu(dbmp_le->dn_mapsize);
 =09bmp->db_nfree =3D le64_to_cpu(dbmp_le->dn_nfree);
+
 =09bmp->db_l2nbperpage =3D le32_to_cpu(dbmp_le->dn_l2nbperpage);
+=09if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
+=09=09err =3D -EINVAL;
+=09=09goto err_release_metapage;
+=09}
+
 =09bmp->db_numag =3D le32_to_cpu(dbmp_le->dn_numag);
 =09if (!bmp->db_numag) {
 =09=09err =3D -EINVAL;
diff --git a/fs/jfs/jfs_filsys.h b/fs/jfs/jfs_filsys.h
index b5d702df7111..33ef13a0b110 100644
--- a/fs/jfs/jfs_filsys.h
+++ b/fs/jfs/jfs_filsys.h
@@ -122,7 +122,9 @@
 #define NUM_INODE_PER_IAG=09INOSPERIAG
=20
 #define MINBLOCKSIZE=09=09512
+#define L2MINBLOCKSIZE=09=099
 #define MAXBLOCKSIZE=09=094096
+#define L2MAXBLOCKSIZE=09=0912
 #define=09MAXFILESIZE=09=09((s64)1 << 52)
=20
 #define JFS_LINK_MAX=09=090xffffffff
--=20
2.39.2