Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1918189rdh; Tue, 26 Sep 2023 07:20:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGNwCEr8GOfUXVnpyrPmDXzn455JU1KOl5UXALawgav39tx/waXG6bAWjawqsCWHc5SYmHJ X-Received: by 2002:a05:6358:7249:b0:134:c37f:4b64 with SMTP id i9-20020a056358724900b00134c37f4b64mr12688156rwa.30.1695738059356; Tue, 26 Sep 2023 07:20:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695738059; cv=none; d=google.com; s=arc-20160816; b=oZ6vC4Sqv5S/DN7SyLaOPo/x69WyPuveNLS/xZaulxEukWMpCDzPAcQPa7kH1s36lH Wt7wTgSG14/QcnhFIjXepFFZtxd28wrRi4nU7RDi5yjT3Bh2bchYjq5GnRF/Muz/8LTP BUXHJ51/p80RBEtdWJf9g3tKHvbrlYbrfBFX9sAXR3swGUs7+YEYR+Qw6lI89BC6RM6L 5Wq7NiH3/Fd3tzlSJK/17+F2M2J5qU/4pVVu2GaHDvfaGgq92LFF9vEFKSKlaQgL4VeD gryEtn+7q2xgTNpat2VkvihPLSJC58IlyaXdLu4nPk6itv/spHGKlhoiEK4x9qfCTYEk 4nxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; fh=DW6JXXFC8XQHZPVQoZCvh0UR8Znab9VegrqrYLkIdYs=; b=fc7pH2tVQkuOpsFu8BuIf57ufKs2TEfRr+m9IMHBzpQ2n3ObfiK9X9USf/04hv7Zpn +wduSJl7YbqI5pZTJlnSNKtxF/zt6TKDavXR61vGpWKbD02EF//fDjRUXKLesVHP+iWX yO4+kX/b2RCNausjkfES6U3X4gkKWRxSJvaGisBKT6VwDBha/fKZiV6/21+KBaM2Dc64 Zs417kgQ5CkFu1w837clSndzeDw3gmxe9zYd9ClpYPhk+s9MXpSrqe+OH3x0SR0DZF9y QE7CZbOw/YrxlAfYzLgsAtCJTMjvqkpM0W100x7aNQeqijlypAxtSW5L4IhUi1P5RGYV 6B4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IiZsP55A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id x7-20020a634847000000b0056c297d163csi12540094pgk.530.2023.09.26.07.20.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 07:20:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IiZsP55A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id BDB8C8073DCE; Tue, 26 Sep 2023 03:25:15 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231199AbjIZKZI (ORCPT + 99 others); Tue, 26 Sep 2023 06:25:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231509AbjIZKZH (ORCPT ); Tue, 26 Sep 2023 06:25:07 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECB8BF3; Tue, 26 Sep 2023 03:25:00 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-274c05edb69so5135408a91.2; Tue, 26 Sep 2023 03:25:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695723900; x=1696328700; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; b=IiZsP55AfxbNyD0Zc7Zw/UOvQnHpKbPK0IeIcg1H3JWVtJ9JzQYPtz90g8c9mq4NYk IubZebWtTh0aCHlxH/rFHBKRGHFrX2Mf9BSsDIeun3vabomYkMYymDsXm+s00cCuZL6G mv8lISHgV1hOsbCoD8P3Ndt7PYHOgkDfxC+mqDmARuXEkvFAV16lSUGBndkVPfTXzhG9 iJWJZ8lhVqMYOqqEesAMc0J14iJglSdWQymIwPePQt2pe/qhA3WwF/UvM2It1oRS+DOP YGoB55YycIlPQGmrb/CYi9rskIToKUQ71E20NawX74EUpgeLwjIIjZUhnl1J1NF/p43l 4fiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695723900; x=1696328700; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; b=HE3lF+deH7tbGqEOe+0FgDxiwJA/Ks30WqdcSaQVF7Fe/4bXzDQ+uUj9obHVUbfN3b /Fgm7TsSaF5qG26ICuzo+J8juyyGEYGjLTHNefQnkArhiAWW4aaj4ZAkZZfght+WJZUf 2j3z9Dwm5LZnf8KTXGAErg5Q2iM7FU+KBVfHNr0+cLeOnhSiTVmYqL9PGPMC80FoRpAr 63/nWUfhK7fbCK1MsZnFSgbRPbSQHd1uIa5fnMSx/WvSTz51ph/LDMEXnseWRz3z5dKI S571RMTJl4utnwjCDuuqTyIVp0a06or8oelTAl2uh5e5910dOeLS1+Df72l1qR4hCvd2 70gg== X-Gm-Message-State: AOJu0YzT12HmdJUh4e7s7eDXmtUQV6ugqAIaIukM+ImohFg8lxi99yb7 nme96K9mmta2/ouLXJL4VQ8= X-Received: by 2002:a17:90a:f298:b0:269:6c5:11a7 with SMTP id fs24-20020a17090af29800b0026906c511a7mr6883549pjb.17.1695723900206; Tue, 26 Sep 2023 03:25:00 -0700 (PDT) Received: from pek-lxu-l1.wrs.com ([111.198.228.56]) by smtp.gmail.com with ESMTPSA id gk15-20020a17090b118f00b00274b9dd8519sm9623829pjb.35.2023.09.26.03.24.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 03:24:59 -0700 (PDT) From: Edward AD To: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com Cc: akpm@linux-foundation.org, hughd@google.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] fs/hfsplus: expand s_vhdr_buf size to avoid slab oob Date: Tue, 26 Sep 2023 18:24:55 +0800 Message-ID: <20230926102454.992535-2-twuufnxlz@gmail.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <000000000000820e380606161640@google.com> References: <000000000000820e380606161640@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=1.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HK_RANDOM_FROM,MAILING_LIST_MULTI, SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 26 Sep 2023 03:25:15 -0700 (PDT) X-Spam-Level: * The memory allocated to s_vhdr_buf in the function hfsplus-read_wrapper is too small, resulting in a slab out of bounds issue when copying data with copy_page_from_iter_atomic. When allocating memory to s_vhdr_buf, take the maximum value between hfsplus_min_io_size(sb) and PAGE_SIZE to avoid similar issues. Reported-and-tested-by: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com Signed-off-by: Edward AD --- fs/hfsplus/wrapper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c index 0b791adf02e5..56bee8dbe532 100644 --- a/fs/hfsplus/wrapper.c +++ b/fs/hfsplus/wrapper.c @@ -163,7 +163,7 @@ int hfsplus_read_wrapper(struct super_block *sb) struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb); struct hfsplus_wd wd; sector_t part_start, part_size; - u32 blocksize; + u32 blocksize, bufsize; int error = 0; error = -EINVAL; @@ -175,10 +175,11 @@ int hfsplus_read_wrapper(struct super_block *sb) goto out; error = -ENOMEM; - sbi->s_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); + bufsize = max_t(u32, hfsplus_min_io_size(sb), PAGE_SIZE); + sbi->s_vhdr_buf = kmalloc(bufsize, GFP_KERNEL); if (!sbi->s_vhdr_buf) goto out; - sbi->s_backup_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); + sbi->s_backup_vhdr_buf = kmalloc(bufsize, GFP_KERNEL); if (!sbi->s_backup_vhdr_buf) goto out_free_vhdr; -- 2.25.1