[PATCH v2] jfs: fix slab-out-of-bounds in dbAllocBits and dbFreeBits
0 views
Skip to first unread message
Jun Yeong Kim
4:58 AM (13 hours ago) 4:58 AM
to syzbot+0be473...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Jun Yeong Kim
When the underlying loop device backend storage is dynamically changed
(e.g., via LOOP_SET_FD), JFS fails to update its internal block
allocation metadata. This causes dbAllocBits and dbFreeBits to use
stale db_agl2size, producing an out-of-range agno value that leads to
an out-of-bounds access on mp->db_agfree[agno].
Add bounds checks for agno in both dbAllocBits and dbFreeBits. If agno
is negative or exceeds MAXAG, report the error via jfs_error() and
return early to prevent the OOB access.
Reported-by: syzbot+0be473...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d
Signed-off-by: Jun Yeong Kim <junyeo...@gmail.com>
---
fs/jfs/jfs_dmap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..c67ff5df0340 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2142,6 +2142,12 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int size;
s8 *leaf;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return;
+ }
+
/* pick up a pointer to the leaves of the dmap tree */
leaf = dp->tree.stree + LEAFIND;
@@ -2289,6 +2295,12 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int rc = 0;
int size;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return -EIO;
+ }
+
/* determine the bit number and word within the dmap of the
* starting block.
*/
--
2.47.3
(e.g., via LOOP_SET_FD), JFS fails to update its internal block
allocation metadata. This causes dbAllocBits and dbFreeBits to use
stale db_agl2size, producing an out-of-range agno value that leads to
an out-of-bounds access on mp->db_agfree[agno].
Add bounds checks for agno in both dbAllocBits and dbFreeBits. If agno
is negative or exceeds MAXAG, report the error via jfs_error() and
return early to prevent the OOB access.
Reported-by: syzbot+0be473...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d
Signed-off-by: Jun Yeong Kim <junyeo...@gmail.com>
---
fs/jfs/jfs_dmap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..c67ff5df0340 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2142,6 +2142,12 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int size;
s8 *leaf;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return;
+ }
+
/* pick up a pointer to the leaves of the dmap tree */
leaf = dp->tree.stree + LEAFIND;
@@ -2289,6 +2295,12 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int rc = 0;
int size;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return -EIO;
+ }
+
/* determine the bit number and word within the dmap of the
* starting block.
*/
--
2.47.3
Aleksandr Nogikh
5:10 AM (13 hours ago) 5:10 AM
to Jun Yeong Kim, syzbot+0be473...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
Hi Jun,
Please note that sending the patch only to syzkaller-bugs@ makes
little sense. You could either send syzbot a #syz test command to test
it [1], or you should send your fix to the public Linux kernel mailing
lists.
[1] https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
--
Aleksandr
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/20260322113637.92635-1-junyeonggim5%40gmail.com.
Please note that sending the patch only to syzkaller-bugs@ makes
little sense. You could either send syzbot a #syz test command to test
it [1], or you should send your fix to the public Linux kernel mailing
lists.
[1] https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
--
Aleksandr
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/20260322113637.92635-1-junyeonggim5%40gmail.com.
Reply all
Reply to author
Forward
0 new messages