lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5b131b90-513c-4442-bc1f-07817023df71@oracle.com>
Date:   Wed, 1 Nov 2023 10:04:55 -0500
From:   Dave Kleikamp <dave.kleikamp@...cle.com>
To:     Manas Ghandat <ghandatmanas@...il.com>, shaggy@...nel.org
Cc:     Linux-kernel-mentees@...ts.linuxfoundation.org,
        jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        syzbot+c1056fdfe414463fdb33@...kaller.appspotmail.com
Subject: Re: [PATCH] jfs : fix array-index-out-of-bounds in diWrite

On 10/8/23 12:47PM, Manas Ghandat wrote:
> Currently while copying dtree root from inode to dnode in the xp slot
> there is a out of bound memcpy. Added a bound check to the memcpy.
> 
> Reported-by: syzbot+c1056fdfe414463fdb33@...kaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=c1056fdfe414463fdb33
> Signed-off-by: Manas Ghandat <ghandatmanas@...il.com>
> ---
>   fs/jfs/jfs_imap.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
> index 799d3837e7c2..d1f897848be0 100644
> --- a/fs/jfs/jfs_imap.c
> +++ b/fs/jfs/jfs_imap.c
> @@ -746,7 +746,8 @@ int diWrite(tid_t tid, struct inode *ip)
>   		xp = (dtpage_t *) & dp->di_dtroot;
>   		lv = ilinelock->lv;
>   		for (n = 0; n < ilinelock->index; n++, lv++) {
> -			memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
> +			if (lv->offset < 128)

I'd use DTPAGEMAXSLOT instead of hard-coding 128.

Also, we could at least set rc to -EIO, or we could do something more.
Calling jfs_error() would mark the superblock dirty and usually makes 
the file system read-only until it's fixed.

> +				memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
>   			       lv->length << L2DTSLOTSIZE);
>   		}
>   	} else {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ