| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <82009ea8-ad86-4829-b0a7-7dacda762aad@oracle.com>
Date: Sun, 3 Sep 2023 16:45:39 -0500
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Manas Ghandat <ghandatmanas@...il.com>, shaggy@...nel.org,
liushixin2@...wei.com
Cc: linux-kernel@...r.kernel.org, jfs-discussion@...ts.sourceforge.net,
Linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+aea1ad91e854d0a83e04@...kaller.appspotmail.com
Subject: Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf
On 9/2/23 12:45PM, Manas Ghandat wrote:
> Actually I was talking about the stree attribute of dmtree which is
> present in both dmaptree and dmapctl.
>
> Link :
> https://elixir.bootlin.com/linux/v6.5.1/source/fs/jfs/jfs_dmap.h#L168
>
> Since it is an array we can add a check for the size of array like the
> code below.
>
>
> + if (x + n > (sizeof(tp->dmt_stree)/sizeof(s8)))
> + return -ENOSPC;
That will always evaluate to the same thing (the size of stree in
dmapctl). It would be valid, since that is the larger number, but it
wouldn't catch all overflows of dmaptree's stree.
>
> On 01/09/23 22:38, Dave Kleikamp wrote:
>> On 8/31/23 10:19AM, Manas Ghandat wrote:
>>> I was wondering if we could implement a get_tree_size macro wherein
>>> we could find the tree size so that we can do the comparison. SInce
>>> the tp->dmt_stree is an array we can get its size and fix the out of
>>> bounds. Would this thing work?
>>
>> dmtree_t is a union of two nearly identical structures that both
>> contain an stree. The only real difference in the structures is the
>> size of the stree, so dbFindLeaf doesn't really know which is being
>> used by the caller.
>>
Powered by blists - more mailing lists