Received: by 2002:a05:7412:f584:b0:e2:908c:2ebd with SMTP id eh4csp1925595rdb; Tue, 5 Sep 2023 09:01:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGUALa/2QqPJvHQcQxRXEjhIO3RPk2S++X7JHbxwNChxG0mnAw4zyatrgLijoNDp/lMh+xE X-Received: by 2002:a17:90a:e57:b0:26b:29b4:bfbb with SMTP id p23-20020a17090a0e5700b0026b29b4bfbbmr9391328pja.30.1693929702769; Tue, 05 Sep 2023 09:01:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693929702; cv=none; d=google.com; s=arc-20160816; b=adDBMrgzwLftFXM9k1sB5ts9envuLcr1AhYUFfY0EJqTl7ABWfLNmxr2eW08dNbBZJ McxSCZIe0xjpq8asYfyT0LC8yKDRAONxquxz+eQluVdbjyzAK536V9vsAL8bYz9El111 aZ5BYXgio5SrSRiMxjlAnHZIPnQtjDRhYGliy6Tyq8SMLzCxMQhCfV1lFLG8LES4c/Mq UK4S1oUJc4fJQzNVbXW5ySKeH32uHd+BkYE8PZWyXjWedARM0TUPpygdwmLy+wv5IXuI mL3muZe3hAj4/EcgJa+QSKiEIQ0gWqij1nCzteXe0wKu5YIzviAZxQ8y9dtmMFMxDT7f sAlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=T/oC9BzvxaceMGHbIWoQh4iOvX8/1tUpbJQYA6I/O+Y=; fh=bz+5DE02sFy1YaiCQSi8Rpb7UuxaJru8xpfJ2ZqAwVI=; b=iX2SGyU0eZSKH19KyO/Q4pHSwWlvful5QbTWfldnBimO3ltTC6euuYN4y/0AZJ5VED gmkc297dqqGY8mhOrbhYdiELLEStYtivQcihR+tHte+YJ5HRYeKUA9BpLBp4fDjDOs4u 1Sv5Z7R+zMNcTRTyTqPQ4xZbn9WxGwpjncCYZpbw9c2/Ty6NaJkoms4pZMVg749axDz9 MYjCFSI1bp+jSqBlxwY32SAhM3KaRPiMFGIiI1Lv4i5Vjomyjd6tq7JyvmmC1U10CWbU y5uihkECVds/62uARANQbXLaMVrWWbnEC6ndXqYyW56LInDQ1qxrDgMg/r+n/ID8C6WB 98ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=JcFMdo26; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w11-20020a17090a4f4b00b0026d4415b926si12499023pjl.83.2023.09.05.09.01.40; Tue, 05 Sep 2023 09:01:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=JcFMdo26; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237224AbjHaPTW (ORCPT + 9 others); Thu, 31 Aug 2023 11:19:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236650AbjHaPTV (ORCPT ); Thu, 31 Aug 2023 11:19:21 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A6E7E5E for ; Thu, 31 Aug 2023 08:19:15 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-1c0d0bf18d7so6856915ad.0 for ; Thu, 31 Aug 2023 08:19:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693495155; x=1694099955; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=T/oC9BzvxaceMGHbIWoQh4iOvX8/1tUpbJQYA6I/O+Y=; b=JcFMdo261f0dbb4oOZQHGJ8WjIk/nFA+q7zP7DX5AO4tFhGVlAJmV9ZnATi+ykeNoQ II1xVIRkiDBxSSwHymgIkJXfOFHLTnft84jD8ULJMy3CGTKPu7vPih7+2lNvG+36v4H7 zZdUvLspEENiy8uTS607Tzg6ISbnlK4sgGyC3RhD7YfYwyn+AcIZRCi8fVlAKR7BHKsK 2J998XIHl/W37Hf5Nf9a9FBsf4f95rsHWuOE6Q55z83NqXTsNC7yosz0r+TXFO4J5S/d CAYFTeS07E1rEGQruQ3OmS2ys7YJqc99MK7gneYxaheEpvawNfUhKK/ymVRVaOKG7P5T LLuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693495155; x=1694099955; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T/oC9BzvxaceMGHbIWoQh4iOvX8/1tUpbJQYA6I/O+Y=; b=NHBS/9ozGRtM2Q+CqYux5lBc6CDDFWUs4aSF7wtuxDpqLmHO7AlsAcu1hjE3xdZc7K YZQXzVjrV8MBBopZmGUDjf05W2VkBwnYKQp6n2subFaMzNId6IiAszLWjB5tSf2jpAbT qWwgeOHThsKIFirIGP/nnWZrJrxzYeTn2InUsGNK3HdrL9SfD/spS9v6Ne8A/nD6dSiF HfU1baoOC2jK4fAIRrRuIwAqVRv38bql7z943kyjKpoVUyo49y5YAJrDFO3gyZyjSHkv iVjWLGufIP5BkazRUZIsDE74dKC9N+rHEz1UlYXRFSmjexXAEpYPM+SaSJ5JPRACfZml EueQ== X-Gm-Message-State: AOJu0YzsUYT+KbP7Sp46dIcUQTV7m74ThUedYR55ijrS45WtLiPBtUPy YohFmEPlkul5EBbzpPoX4Lw= X-Received: by 2002:a17:902:e744:b0:1bb:b226:52a0 with SMTP id p4-20020a170902e74400b001bbb22652a0mr13952plf.44.1693495154610; Thu, 31 Aug 2023 08:19:14 -0700 (PDT) Received: from [10.0.2.15] ([103.37.201.174]) by smtp.gmail.com with ESMTPSA id ja20-20020a170902efd400b001bdc6ca748esm1386625plb.185.2023.08.31.08.19.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 31 Aug 2023 08:19:14 -0700 (PDT) Message-ID: Date: Thu, 31 Aug 2023 20:49:09 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf Content-Language: en-US To: Dave Kleikamp , shaggy@kernel.org, liushixin2@huawei.com Cc: linux-kernel@vger.kernel.org, jfs-discussion@lists.sourceforge.net, Linux-kernel-mentees@lists.linuxfoundation.org, syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com References: <20230829165244.460154-1-ghandatmanas@gmail.com> From: Manas Ghandat In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I was wondering if we could implement a get_tree_size macro wherein  we could find the tree size so that we can do the comparison. SInce the tp->dmt_stree is an array we can get its size and fix the out of bounds. Would this thing work? On 30/08/23 00:08, Dave Kleikamp wrote: > This won't work. dbFindLeaf() can be called from dbFindCtl() with > struct dmapctl whose stree index can be as high as CTLTREESIZE which > is larger than TREESIZE. A check against CTLTREESIZE might be better > than nothing at all but won't necessarily detect an overflow. > Currently, dbFindLeaf doesn't have anything to tell it which tree it > is working on. > > We could pass in the treesize as an argument to dbFindCtl() if we > can't come up with something simpler. > > Shaggy > >> >> Signed-off-by: Manas Ghandat >> Reported-by: syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04 >> --- >>   fs/jfs/jfs_dmap.c | 4 ++++ >>   1 file changed, 4 insertions(+) >> >> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c >> index a14a0f18a4c4..5af17b2287be 100644 >> --- a/fs/jfs/jfs_dmap.c >> +++ b/fs/jfs/jfs_dmap.c >> @@ -2948,6 +2948,10 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb, >> int *leafidx) >>               /* sufficient free space found.  move to the next >>                * level (or quit if this is the last level). >>                */ >> + >> +            if (x + n > TREESIZE) >> +                return -ENOSPC; >> + >>               if (l2nb <= tp->dmt_stree[x + n]) >>                   break; >>           }