A few more patches to add sanity checks in jfs

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEIodevzQLVs53l6BhNqiEXrVAjGQFAmc/WUoACgkQNqiEXrVA
 jGRbDQ/8DEhFbtbr0ugUJmStEfn+8oBXhsKhYZE1Y+U69SZT924Vn1gfbhxIBH0d
 W1aKcRVvmP0ASfplQemIyiB9sY4Nxd4CUlFD3RqycFR0fAyGIb7XccpkJBhms5/J
 itscgATuE8u5wms3CDByAiEj3kMu8Luf+jDTFVB2SNP0xPeqsqluXtTQwEFHKAmS
 4IhbAH6hQ9E+mqufID8WjhLyKZLhCe8PQ4ccsenNZo8km4xDAv5m0CZD1Ks6k87b
 3n6iG6Wk+5gjzGC/vGOJJIX3eZchMFhCwG+SkJ/7UKT475oKYDjgflpO2yVXWjXz
 mGTFdTLg+wNH+Jh9/nUNCN/2KsFAIx2wcaFmnLC7fmCJFKjVEIQV5Pm0eGi+vdt5
 hU/onwn8rlPeKD8OIh4zKGMzDZj2uX825lfVXlYJP64UE/rOPkJgd7MH8TtNiFlu
 lpxkhM/xpCMfyShUHMWe38C2VwjqMNhW5Mz2EoT9OqSFsTBXTpeoPZOFG+iiJ1Gc
 AFWYM9UrofVj4/bSOOVfDMGSqx8dGfGc/QtEDwvKmTsaZ9imfxDRGmQyTwwuBKmi
 EyuKUjwvIQmF8Z/fqLov+0JpW0XsJLmpVJJ3t451sJgzwrffob0afYrMsW/e7a+f
 zHDz+WSJBKYsb8Wq9owmY29oHGtaoNQ3IguxnbFmD2pkNNnmg/g=
 =V1oj
 -----END PGP SIGNATURE-----

Merge tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy

Pull jfs updates from Dave Kleikamp:
 "A few more patches to add sanity checks in jfs"

* tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy:
  jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
  jfs: xattr: check invalid xattr size more strictly
  jfs: fix array-index-out-of-bounds in jfs_readdir
  jfs: fix shift-out-of-bounds in dbSplit
  jfs: array-index-out-of-bounds fix in dtReadFirst
This commit is contained in:
Linus Torvalds 2024-11-21 09:59:59 -08:00
commit fc39fb5691
3 changed files with 22 additions and 1 deletions

View File

@ -1820,6 +1820,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
return -EIO; return -EIO;
dp = (struct dmap *) mp->data; dp = (struct dmap *) mp->data;
if (dp->tree.budmin < 0)
return -EIO;
/* try to allocate the blocks. /* try to allocate the blocks.
*/ */
rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results); rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results);
@ -2888,6 +2891,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
/* bubble the new value up the tree as required. /* bubble the new value up the tree as required.
*/ */
for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) {
if (lp == 0)
break;
/* get the index of the first leaf of the 4 leaf /* get the index of the first leaf of the 4 leaf
* group containing the specified leaf (leafno). * group containing the specified leaf (leafno).
*/ */

View File

@ -2891,6 +2891,14 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
stbl = DT_GETSTBL(p); stbl = DT_GETSTBL(p);
for (i = index; i < p->header.nextindex; i++) { for (i = index; i < p->header.nextindex; i++) {
if (stbl[i] < 0 || stbl[i] > 127) {
jfs_err("JFS: Invalid stbl[%d] = %d for inode %ld, block = %lld",
i, stbl[i], (long)ip->i_ino, (long long)bn);
free_page(dirent_buf);
DT_PUTPAGE(mp);
return -EIO;
}
d = (struct ldtentry *) & p->slot[stbl[i]]; d = (struct ldtentry *) & p->slot[stbl[i]];
if (((long) jfs_dirent + d->namlen + 1) > if (((long) jfs_dirent + d->namlen + 1) >
@ -3086,6 +3094,13 @@ static int dtReadFirst(struct inode *ip, struct btstack * btstack)
/* get the leftmost entry */ /* get the leftmost entry */
stbl = DT_GETSTBL(p); stbl = DT_GETSTBL(p);
if (stbl[0] < 0 || stbl[0] > 127) {
DT_PUTPAGE(mp);
jfs_error(ip->i_sb, "stbl[0] out of bound\n");
return -EIO;
}
xd = (pxd_t *) & p->slot[stbl[0]]; xd = (pxd_t *) & p->slot[stbl[0]];
/* get the child page block address */ /* get the child page block address */

View File

@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
size_check: size_check:
if (EALIST_SIZE(ea_buf->xattr) != ea_size) { if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
printk(KERN_ERR "ea_get: invalid extended attribute\n"); printk(KERN_ERR "ea_get: invalid extended attribute\n");
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,