[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <423182d1-3d75-4a73-9011-da24658a40cc@oracle.com>
Date: Tue, 3 Oct 2023 14:16:11 -0500
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Manas Ghandat <ghandatmanas@...il.com>, shaggy@...nel.org
Cc: linux-kernel@...r.kernel.org, jfs-discussion@...ts.sourceforge.net,
Linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+0558d19c373e44da3c18@...kaller.appspotmail.com
Subject: Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit
On 9/19/23 10:55AM, Manas Ghandat wrote:
> Currently there is no check for out of bound access for xad in the
> struct xtpage_t. Added the required check at various places for the same
This won't work for the same reason I mentioned here:
https://lore.kernel.org/lkml/36683767-ad6c-477b-8b46-f10be2ad55d2@oracle.com/
The size of the xad array can be either XTROOTMAXSLOT or XTPAGEMAXSLOT
depending on whether it is the root, imbedded in the inode, or not. It
is currently declared with the smaller value so we can use xtpage_t
within the inode.
I had promised to address this, but haven't gotten to it yet. I'll try
to carve out some time to do that.
Thanks,
Shaggy
>
> Signed-off-by: Manas Ghandat <ghandatmanas@...il.com>
> Reported-by: syzbot+0558d19c373e44da3c18@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0558d19c373e44da3c18
> Fixes: df0cc57e057f
> ---
> fs/jfs/jfs_txnmgr.c | 4 ++++
> fs/jfs/jfs_xtree.c | 6 ++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
> index ce4b4760fcb1..6c6640942bed 100644
> --- a/fs/jfs/jfs_txnmgr.c
> +++ b/fs/jfs/jfs_txnmgr.c
> @@ -1722,6 +1722,10 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd,
> jfs_err("xtLog: lwm > next");
> goto out;
> }
> + if (lwm >= XTROOTMAXSLOT) {
> + jfs_err("xtLog: lwm out of range");
> + goto out;
> + }
> tlck->flag |= tlckUPDATEMAP;
> xadlock->flag = mlckALLOCXADLIST;
> xadlock->count = next - lwm;
> diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c
> index 2d304cee884c..57569c52663e 100644
> --- a/fs/jfs/jfs_xtree.c
> +++ b/fs/jfs/jfs_xtree.c
> @@ -357,6 +357,9 @@ static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp,
> for (base = XTENTRYSTART; lim; lim >>= 1) {
> index = base + (lim >> 1);
>
> + if (index >= XTROOTMAXSLOT)
> + goto out;
> +
> XT_CMP(cmp, xoff, &p->xad[index], t64);
> if (cmp == 0) {
> /*
> @@ -618,6 +621,9 @@ int xtInsert(tid_t tid, /* transaction id */
> memmove(&p->xad[index + 1], &p->xad[index],
> (nextindex - index) * sizeof(xad_t));
>
> + if (index >= XTROOTMAXSLOT)
> + goto out;
> +
> /* insert the new entry: mark the entry NEW */
> xad = &p->xad[index];
> XT_PUTENTRY(xad, xflag, xoff, xlen, xaddr);
Powered by blists - more mailing lists