[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240425141038.47054-1-aha310510@gmail.com>
Date: Thu, 25 Apr 2024 23:10:38 +0900
From: Jeongjun Park <aha310510@...il.com>
To: willy@...radead.org
Cc: brauner@...nel.org,
jfs-discussion@...ts.sourceforge.net,
jlayton@...nel.org,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
shaggy@...nel.org,
syzbot+241c815bda521982cb49@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] jfs: Fix array-index-out-of-bounds in diFree
Matthew Wilcox wrote:
> If that's the problem then the correct place to detect & reject this is
> during mount, not at inode free time.
I fixed the patch as you said. If you patch in this way, the
file system will not be affected by the vulnerability at all
due to the code structure.
Thanks.
---
fs/jfs/jfs_imap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 2ec35889ad24..ba0aa2f145cc 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -290,7 +290,7 @@ int diSync(struct inode *ipimap)
int diRead(struct inode *ip)
{
struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
- int iagno, ino, extno, rc;
+ int iagno, ino, extno, rc, agno;
struct inode *ipimap;
struct dinode *dp;
struct iag *iagp;
@@ -339,6 +339,9 @@ int diRead(struct inode *ip)
/* get the ag for the iag */
agstart = le64_to_cpu(iagp->agstart);
+ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb));
+ if(agno >= MAXAG || agno < 0)
+ return -EIO;
release_metapage(mp);
--
2.34.1
Powered by blists - more mailing lists