| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250919225055.106808-1-pedrodemargomes@gmail.com>
Date: Fri, 19 Sep 2025 19:50:55 -0300
From: Pedro Demarchi Gomes <pedrodemargomes@...il.com>
To: shaggy@...nel.org,
duttaditya18@...il.com,
ghanshyam1898@...il.com
Cc: jfs-discussion@...ts.sourceforge.net,
linux-kernel@...r.kernel.org,
Pedro Demarchi Gomes <pedrodemargomes@...il.com>,
syzbot+4f9c823a6f63d87491ba@...kaller.appspotmail.com
Subject: [PATCH] jfs: Add check for array bounds in dtDelete
stbl is s8 but it must contain offsets into slot which can go from 0 to
127.
Add a bound check for that error inside dtDelete function.
Reported-by: syzbot+4f9c823a6f63d87491ba@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4f9c823a6f63d87491ba
Signed-off-by: Pedro Demarchi Gomes <pedrodemargomes@...il.com>
---
fs/jfs/jfs_dtree.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index ab11849cf9cc..c200b37f4562 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -2129,11 +2129,17 @@ int dtDelete(tid_t tid,
next_index = -1;
else {
stbl = DT_GETSTBL(np);
- ldtentry =
- (struct ldtentry *) & np->
- slot[stbl[0]];
- next_index =
- le32_to_cpu(ldtentry->index);
+ if (stbl[0] < 0 || stbl[0] >= DTPAGEMAXSLOT) {
+ jfs_err("JFS: Invalid stbl[0] = %d for inode %ld, block = %lld",
+ stbl[0], (long)ip->i_ino, (long long)le64_to_cpu(p->header.next));
+ next_index = -1;
+ } else {
+ ldtentry =
+ (struct ldtentry *) & np->
+ slot[stbl[0]];
+ next_index =
+ le32_to_cpu(ldtentry->index);
+ }
DT_PUTPAGE(nmp);
}
}
--
2.39.5
Powered by blists - more mailing lists