Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1797453rda; Tue, 24 Oct 2023 03:46:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGUoDyynGg2erQmDtbV7ojVyV60d+z5wfLeMQL5mCEkl1w/WIzz590XYLITd7fU/FBsMYvI X-Received: by 2002:a05:6a20:c102:b0:15c:b7ba:ea44 with SMTP id bh2-20020a056a20c10200b0015cb7baea44mr1963723pzb.60.1698144414522; Tue, 24 Oct 2023 03:46:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698144414; cv=none; d=google.com; s=arc-20160816; b=YtrfqzRBciNu6k74bXSZsbGRpxw1DLAvz4M52xn2wSyAs9l4MvfXUuud5zJid9oi8g Ry3j6t247qhXtDGhrvcirLmwp1Ref35RqfTVRg29O5o5o2LjBx5z/QL8LFhfmG4+2uDk A4Z9wPBI/qnUMxv93tlar7XtySFWGMxtx8HXYJJIXFHgqkWqIq4ngAPgVaLW8IgGtyVl QB9szMvKfy/F/7+hfSu9KCCf2l9xVrd91UvRNsgmq5Z4VqDqkKT3mPqoNXMLulvNtu49 e/PMOzSs8wRjBMTa+Ys6wH4d9zsswZdktIN0w7f9iH1UzZIhOeLEb4Vn6PAAGrl5Xs8N zpCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature; bh=0SpGzt5EPQBKeC5ysJFqlAOyND1HqZsJcmX27vUekos=; fh=Jk6Lsbd7L+i14BAxnTnJ/qc7gZ1L8YUOM24UQCuf9Kk=; b=M0xvVlGrmy+4QfXNfzk88zFM+iURZpcDwuPbJ1BDJB2Hee1Mtq0IKONwh3lgkZ7afD q0Du3FIlLlAgfw9op8OZdlFI6aeSK5Riv359XEeZ/45OhjRQvCCrHd1jJPh1UMUNlI8A 9H50srM26Zj4SITBbRcwNk5QQ5sstyb32Rnq/OXurN5hDb/gCI9fYxIs0eJwn1ogwKkP wVW8j2viS3BMefLtfjPJllTQJcdEZrf96sVmCqkNiF3rI8cp/olpYkn3B5Le7PD2nWmn QuA5EXVFs0fWztmVrBvaOdozSJsQaomhXRaMi28Q/96U7LRxUM1uoZI3inFCUOdh553q B0ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IiCW4XiU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id g21-20020a170902869500b001c9e3c866casi7811971plo.19.2023.10.24.03.46.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Oct 2023 03:46:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IiCW4XiU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 7811A802FD03; Tue, 24 Oct 2023 03:46:53 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234283AbjJXKqq (ORCPT + 99 others); Tue, 24 Oct 2023 06:46:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234315AbjJXKqn (ORCPT ); Tue, 24 Oct 2023 06:46:43 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3E8DD7E for ; Tue, 24 Oct 2023 03:46:39 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-40839652b97so33786675e9.3 for ; Tue, 24 Oct 2023 03:46:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1698144398; x=1698749198; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=0SpGzt5EPQBKeC5ysJFqlAOyND1HqZsJcmX27vUekos=; b=IiCW4XiUdZSNPzBj7xCjxINtjZMTVW1jjz1jTf0RozZ+lxMDFdd0bsZ/nhLk/dE6JA FP0/GPOCh6gU3Wwuc1tb6RdmZNB9+3hML8y4ENN/E3jfDKSPwCc9PDVDT2nvmmYISdEW NXTkcqIDcNwkJ9hrgLrQZvFd7fzSM51mQ82Rk2BurgDfksTNmSr4cItQ+wK0xfNFx/Aa X1UQvmtLvGPXBuM3RPO/eRCSQ+n2IXOvVDW/9VsTuiGmKuyB96yxkFvgt6ey1XS4eF5z F0rXsnlj6S5Jbtpk0Inpwc5u9HFii68Sc9ExQK/8aKdtzXtgc/D5tK7uREG9Imcq+sjy PMSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698144398; x=1698749198; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0SpGzt5EPQBKeC5ysJFqlAOyND1HqZsJcmX27vUekos=; b=op1WDLy9BWmCppVrZjRGAk2Nf0Zu+auwoCGfdV2R3Le3HKsfjA1FaObfz1h2lBA0zp F5DHEhb6Gyq6yVO+tEMx23m8avmrfiSFVcMZ4j3fy6rZAxJiiP4NJX+niJ7jpsrnZ/kn hjthzDc/seZcVr4VEyY3LBMsCzO62W7W1J9xI6a0YJ1H4CtyM6VUGM8aQb04vJ0uWPVE bn4n2tj3eWd9ZZlsCzSHDujpEE0H/b9/jQoj5z1BDpWyjjt188XF/XEPMnq9Erl9hUav xOhC4UjIJjvvE0CRcSeV9/NNYxT08Nhfof8SpI67jJDQcX6t5kcFg4lvPNRQXhtrtcwH bZ0w== X-Gm-Message-State: AOJu0YwgnqUkZVw4cBgrQVRkjZBGEKW3zIATooqNnTY+z3Xo4lFDMfrM p69ntS1j1stntvg29X2/4L9yhA== X-Received: by 2002:a05:600c:19d1:b0:405:3955:5881 with SMTP id u17-20020a05600c19d100b0040539555881mr9060319wmq.36.1698144397131; Tue, 24 Oct 2023 03:46:37 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id e23-20020adf9bd7000000b0032d893d8dc8sm9757680wrc.2.2023.10.24.03.46.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Oct 2023 03:46:36 -0700 (PDT) Date: Tue, 24 Oct 2023 13:46:33 +0300 From: Dan Carpenter To: oe-kbuild@lists.linux.dev, Manas Ghandat , dave.kleikamp@oracle.com, shaggy@kernel.org Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev, Manas Ghandat , Linux-kernel-mentees@lists.linuxfoundation.org, jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, syzbot+9924e2a08d9ba0fd4ce2@syzkaller.appspotmail.com Subject: Re: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231016171130.15952-1-ghandatmanas@gmail.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 24 Oct 2023 03:46:53 -0700 (PDT) Hi Manas, kernel test robot noticed the following build warnings: https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Manas-Ghandat/jfs-fix-slab-out-of-bounds-Read-in-dtSearch/20231017-152500 base: https://github.com/kleikamp/linux-shaggy jfs-next patch link: https://lore.kernel.org/r/20231016171130.15952-1-ghandatmanas%40gmail.com patch subject: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch config: i386-randconfig-141-20231022 (https://download.01.org/0day-ci/archive/20231024/202310241724.Ed02yUz9-lkp@intel.com/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce: (https://download.01.org/0day-ci/archive/20231024/202310241724.Ed02yUz9-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Reported-by: Dan Carpenter | Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@intel.com/ smatch warnings: fs/jfs/jfs_dtree.c:636 dtSearch() warn: impossible condition '(stbl[index] > 128) => ((-128)-127 > 128)' vim +636 fs/jfs/jfs_dtree.c ^1da177e4c3f41 Linus Torvalds 2005-04-16 567 int dtSearch(struct inode *ip, struct component_name * key, ino_t * data, ^1da177e4c3f41 Linus Torvalds 2005-04-16 568 struct btstack * btstack, int flag) ^1da177e4c3f41 Linus Torvalds 2005-04-16 569 { ^1da177e4c3f41 Linus Torvalds 2005-04-16 570 int rc = 0; ^1da177e4c3f41 Linus Torvalds 2005-04-16 571 int cmp = 1; /* init for empty page */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 572 s64 bn; ^1da177e4c3f41 Linus Torvalds 2005-04-16 573 struct metapage *mp; ^1da177e4c3f41 Linus Torvalds 2005-04-16 574 dtpage_t *p; ^1da177e4c3f41 Linus Torvalds 2005-04-16 575 s8 *stbl; ^^^^^^^^ ^1da177e4c3f41 Linus Torvalds 2005-04-16 576 int base, index, lim; ^1da177e4c3f41 Linus Torvalds 2005-04-16 577 struct btframe *btsp; ^1da177e4c3f41 Linus Torvalds 2005-04-16 578 pxd_t *pxd; ^1da177e4c3f41 Linus Torvalds 2005-04-16 579 int psize = 288; /* initial in-line directory */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 580 ino_t inumber; ^1da177e4c3f41 Linus Torvalds 2005-04-16 581 struct component_name ciKey; ^1da177e4c3f41 Linus Torvalds 2005-04-16 582 struct super_block *sb = ip->i_sb; ^1da177e4c3f41 Linus Torvalds 2005-04-16 583 6da2ec56059c3c Kees Cook 2018-06-12 584 ciKey.name = kmalloc_array(JFS_NAME_MAX + 1, sizeof(wchar_t), 6da2ec56059c3c Kees Cook 2018-06-12 585 GFP_NOFS); 09aaa749f637b1 Joe Perches 2007-11-13 586 if (!ciKey.name) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 587 rc = -ENOMEM; ^1da177e4c3f41 Linus Torvalds 2005-04-16 588 goto dtSearch_Exit2; ^1da177e4c3f41 Linus Torvalds 2005-04-16 589 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 590 ^1da177e4c3f41 Linus Torvalds 2005-04-16 591 ^1da177e4c3f41 Linus Torvalds 2005-04-16 592 /* uppercase search key for c-i directory */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 593 UniStrcpy(ciKey.name, key->name); ^1da177e4c3f41 Linus Torvalds 2005-04-16 594 ciKey.namlen = key->namlen; ^1da177e4c3f41 Linus Torvalds 2005-04-16 595 ^1da177e4c3f41 Linus Torvalds 2005-04-16 596 /* only uppercase if case-insensitive support is on */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 597 if ((JFS_SBI(sb)->mntflag & JFS_OS2) == JFS_OS2) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 598 ciToUpper(&ciKey); ^1da177e4c3f41 Linus Torvalds 2005-04-16 599 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 600 BT_CLR(btstack); /* reset stack */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 601 ^1da177e4c3f41 Linus Torvalds 2005-04-16 602 /* init level count for max pages to split */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 603 btstack->nsplit = 1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 604 ^1da177e4c3f41 Linus Torvalds 2005-04-16 605 /* ^1da177e4c3f41 Linus Torvalds 2005-04-16 606 * search down tree from root: ^1da177e4c3f41 Linus Torvalds 2005-04-16 607 * ^1da177e4c3f41 Linus Torvalds 2005-04-16 608 * between two consecutive entries of and of ^1da177e4c3f41 Linus Torvalds 2005-04-16 609 * internal page, child page Pi contains entry with k, Ki <= K < Kj. ^1da177e4c3f41 Linus Torvalds 2005-04-16 610 * ^1da177e4c3f41 Linus Torvalds 2005-04-16 611 * if entry with search key K is not found ^1da177e4c3f41 Linus Torvalds 2005-04-16 612 * internal page search find the entry with largest key Ki ^1da177e4c3f41 Linus Torvalds 2005-04-16 613 * less than K which point to the child page to search; ^1da177e4c3f41 Linus Torvalds 2005-04-16 614 * leaf page search find the entry with smallest key Kj ^1da177e4c3f41 Linus Torvalds 2005-04-16 615 * greater than K so that the returned index is the position of ^1da177e4c3f41 Linus Torvalds 2005-04-16 616 * the entry to be shifted right for insertion of new entry. ^1da177e4c3f41 Linus Torvalds 2005-04-16 617 * for empty tree, search key is greater than any key of the tree. ^1da177e4c3f41 Linus Torvalds 2005-04-16 618 * ^1da177e4c3f41 Linus Torvalds 2005-04-16 619 * by convention, root bn = 0. ^1da177e4c3f41 Linus Torvalds 2005-04-16 620 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 621 for (bn = 0;;) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 622 /* get/pin the page to search */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 623 DT_GETPAGE(ip, bn, mp, psize, p, rc); ^1da177e4c3f41 Linus Torvalds 2005-04-16 624 if (rc) ^1da177e4c3f41 Linus Torvalds 2005-04-16 625 goto dtSearch_Exit1; ^1da177e4c3f41 Linus Torvalds 2005-04-16 626 ^1da177e4c3f41 Linus Torvalds 2005-04-16 627 /* get sorted entry table of the page */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 628 stbl = DT_GETSTBL(p); ^1da177e4c3f41 Linus Torvalds 2005-04-16 629 ^1da177e4c3f41 Linus Torvalds 2005-04-16 630 /* ^1da177e4c3f41 Linus Torvalds 2005-04-16 631 * binary search with search key K on the current page. ^1da177e4c3f41 Linus Torvalds 2005-04-16 632 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 633 for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 634 index = base + (lim >> 1); ^1da177e4c3f41 Linus Torvalds 2005-04-16 635 7812e358b5edde Manas Ghandat 2023-10-16 @636 if (stbl[index] > 128 || stbl[index] < 0) If it's stbl is an s8 so it can't be > 128. 7812e358b5edde Manas Ghandat 2023-10-16 637 goto out; 7812e358b5edde Manas Ghandat 2023-10-16 638 ^1da177e4c3f41 Linus Torvalds 2005-04-16 639 if (p->header.flag & BT_LEAF) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 640 /* uppercase leaf name to compare */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 641 cmp = ^1da177e4c3f41 Linus Torvalds 2005-04-16 642 ciCompare(&ciKey, p, stbl[index], ^1da177e4c3f41 Linus Torvalds 2005-04-16 643 JFS_SBI(sb)->mntflag); ^1da177e4c3f41 Linus Torvalds 2005-04-16 644 } else { ^1da177e4c3f41 Linus Torvalds 2005-04-16 645 /* router key is in uppercase */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 646 ^1da177e4c3f41 Linus Torvalds 2005-04-16 647 cmp = dtCompare(&ciKey, p, stbl[index]); -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki