| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250702185936.68245-1-duttaditya18@gmail.com> Date: Thu, 3 Jul 2025 00:29:36 +0530 From: Aditya Dutt <duttaditya18@...il.com> To: stable@...r.kernel.org Cc: Edward Adam Davis <eadavis@...com>, Dave Kleikamp <dave.kleikamp@...cle.com>, Dave Kleikamp <shaggy@...nel.org>, linux-kernel@...r.kernel.org, linux-kernel-mentees@...ts.linux.dev, jfs-discussion@...ts.sourceforge.net, skhan@...uxfoundation.org, Manas Ghandat <ghandatmanas@...il.com>, syzbot+30b3e48dc48dd2ad45b6@...kaller.appspotmail.com, syzbot+bba84aef3a26fb93deb9@...kaller.appspotmail.com, Aditya Dutt <duttaditya18@...il.com> Subject: [PATCH 5.15.y] jfs: fix null ptr deref in dtInsertEntry From: Edward Adam Davis <eadavis@...com> [ Upstream commit ce6dede912f064a855acf6f04a04cbb2c25b8c8c ] [syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time. [Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL. Closes: https://syzkaller.appspot.com/bug?extid=30b3e48dc48dd2ad45b6 Reported-by: syzbot+30b3e48dc48dd2ad45b6@...kaller.appspotmail.com Reported-by: syzbot+bba84aef3a26fb93deb9@...kaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@...com> Signed-off-by: Dave Kleikamp <dave.kleikamp@...cle.com> Signed-off-by: Aditya Dutt <duttaditya18@...il.com> --- I tested the patch manually using the C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=135c9b70580000 given in the syzkaller dashboard above. fs/jfs/jfs_dtree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 27ca98614b0b..cb57d4f1161f 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -835,6 +835,8 @@ int dtInsert(tid_t tid, struct inode *ip, * the full page. */ DT_GETSEARCH(ip, btstack->top, bn, mp, p, index); + if (p->header.freelist == 0) + return -EINVAL; /* * insert entry for new key -- 2.34.1
Powered by blists - more mailing lists