| From c4f95f04a8e9ad610455324a1ebe532180854301 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 24 Apr 2025 00:13:51 +0200 |
| Subject: jfs: upper bound check of tree index in dbAllocAG |
| |
| From: Arnaud Lecomte <contact@arnaud-lcm.com> |
| |
| [ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ] |
| |
| When computing the tree index in dbAllocAG, we never check if we are |
| out of bounds realative to the size of the stree. |
| This could happen in a scenario where the filesystem metadata are |
| corrupted. |
| |
| Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com |
| Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e |
| Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com |
| Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> |
| Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/jfs/jfs_dmap.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c |
| index 5a877261c3fe..cdfa699cd7c8 100644 |
| --- a/fs/jfs/jfs_dmap.c |
| +++ b/fs/jfs/jfs_dmap.c |
| @@ -1389,6 +1389,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results) |
| (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth; |
| ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1)); |
| |
| + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) { |
| + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); |
| + release_metapage(mp); |
| + return -EIO; |
| + } |
| + |
| /* dmap control page trees fan-out by 4 and a single allocation |
| * group may be described by 1 or 2 subtrees within the ag level |
| * dmap control page, depending upon the ag size. examine the ag's |
| -- |
| 2.39.5 |
| |
