| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Nov 2023 10:04:55 -0500
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Manas Ghandat <ghandatmanas@...il.com>, shaggy@...nel.org
Cc: Linux-kernel-mentees@...ts.linuxfoundation.org,
jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
syzbot+c1056fdfe414463fdb33@...kaller.appspotmail.com
Subject: Re: [PATCH] jfs : fix array-index-out-of-bounds in diWrite
On 10/8/23 12:47PM, Manas Ghandat wrote:
> Currently while copying dtree root from inode to dnode in the xp slot
> there is a out of bound memcpy. Added a bound check to the memcpy.
>
> Reported-by: syzbot+c1056fdfe414463fdb33@...kaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=c1056fdfe414463fdb33
> Signed-off-by: Manas Ghandat <ghandatmanas@...il.com>
> ---
> fs/jfs/jfs_imap.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
> index 799d3837e7c2..d1f897848be0 100644
> --- a/fs/jfs/jfs_imap.c
> +++ b/fs/jfs/jfs_imap.c
> @@ -746,7 +746,8 @@ int diWrite(tid_t tid, struct inode *ip)
> xp = (dtpage_t *) & dp->di_dtroot;
> lv = ilinelock->lv;
> for (n = 0; n < ilinelock->index; n++, lv++) {
> - memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
> + if (lv->offset < 128)
I'd use DTPAGEMAXSLOT instead of hard-coding 128.
Also, we could at least set rc to -EIO, or we could do something more.
Calling jfs_error() would mark the superblock dirty and usually makes
the file system read-only until it's fixed.
> + memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
> lv->length << L2DTSLOTSIZE);
> }
> } else {
Powered by blists - more mailing lists