lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <f03509ef-4501-e686-f484-416a6200fbeb@gmail.com> Date: Mon, 2 Oct 2023 10:06:14 +0530 From: Manas Ghandat <ghandatmanas@...il.com> To: shaggy@...nel.org Cc: linux-kernel@...r.kernel.org, jfs-discussion@...ts.sourceforge.net, Linux-kernel-mentees@...ts.linuxfoundation.org, syzbot+0558d19c373e44da3c18@...kaller.appspotmail.com Subject: Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit just a friendly ping On 19/09/23 21:25, Manas Ghandat wrote: > Currently there is no check for out of bound access for xad in the > struct xtpage_t. Added the required check at various places for the same > > Signed-off-by: Manas Ghandat <ghandatmanas@...il.com> > Reported-by: syzbot+0558d19c373e44da3c18@...kaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=0558d19c373e44da3c18 > Fixes: df0cc57e057f > --- > fs/jfs/jfs_txnmgr.c | 4 ++++ > fs/jfs/jfs_xtree.c | 6 ++++++ > 2 files changed, 10 insertions(+) > > diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c > index ce4b4760fcb1..6c6640942bed 100644 > --- a/fs/jfs/jfs_txnmgr.c > +++ b/fs/jfs/jfs_txnmgr.c > @@ -1722,6 +1722,10 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd, > jfs_err("xtLog: lwm > next"); > goto out; > } > + if (lwm >= XTROOTMAXSLOT) { > + jfs_err("xtLog: lwm out of range"); > + goto out; > + } > tlck->flag |= tlckUPDATEMAP; > xadlock->flag = mlckALLOCXADLIST; > xadlock->count = next - lwm; > diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c > index 2d304cee884c..57569c52663e 100644 > --- a/fs/jfs/jfs_xtree.c > +++ b/fs/jfs/jfs_xtree.c > @@ -357,6 +357,9 @@ static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp, > for (base = XTENTRYSTART; lim; lim >>= 1) { > index = base + (lim >> 1); > > + if (index >= XTROOTMAXSLOT) > + goto out; > + > XT_CMP(cmp, xoff, &p->xad[index], t64); > if (cmp == 0) { > /* > @@ -618,6 +621,9 @@ int xtInsert(tid_t tid, /* transaction id */ > memmove(&p->xad[index + 1], &p->xad[index], > (nextindex - index) * sizeof(xad_t)); > > + if (index >= XTROOTMAXSLOT) > + goto out; > + > /* insert the new entry: mark the entry NEW */ > xad = &p->xad[index]; > XT_PUTENTRY(xad, xflag, xoff, xlen, xaddr);
Powered by blists - more mailing lists