Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-10 07:10:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

jfs: fix array-index-out-of-bounds in dbFindLeaf

Browse Source 
Currently while searching for dmtree_t for sufficient free blocks there
is an array out of bounds while getting element in tp->dm_stree. To add
the required check for out of bound we first need to determine the type
of dmtree. Thus added an extra parameter to dbFindLeaf so that the type
of tree can be determined and the required check can be applied.

Reported-by: syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04
Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
This commit is contained in:
Manas Ghandat 2023-10-04 11:17:18 +05:30 committed by Dave Kleikamp
parent 64933ab7b0
commit 22cad8bc1d
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
fs/jfs/jfs_dmap.c
View File

@ -87,7 +87,7 @@ static int dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno,
static int dbExtend(struct inode *ip, s64 blkno, s64 nblocks, s64 addnblocks); static int dbExtend(struct inode *ip, s64 blkno, s64 nblocks, s64 addnblocks);
static int dbFindBits(u32 word, int l2nb); static int dbFindBits(u32 word, int l2nb);
static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno); static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno);
static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx); static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl);
static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int nblocks); int nblocks);
static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno, static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno,
@ -1717,7 +1717,7 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno)
* dbFindLeaf() returns the index of the leaf at which * dbFindLeaf() returns the index of the leaf at which
* free space was found. * free space was found.
*/ */
rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx); rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx, true);
/* release the buffer. /* release the buffer.
*/ */
@ -1964,7 +1964,7 @@ dbAllocDmapLev(struct bmap * bmp,
* free space. if sufficient free space is found, dbFindLeaf() * free space. if sufficient free space is found, dbFindLeaf()
* returns the index of the leaf at which free space was found. * returns the index of the leaf at which free space was found.
*/ */
if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) if (dbFindLeaf((dmtree_t *) &dp->tree, l2nb, &leafidx, false))
return -ENOSPC; return -ENOSPC;
if (leafidx < 0) if (leafidx < 0)
@ -2928,14 +2928,18 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval)
* leafidx - return pointer to be set to the index of the leaf * leafidx - return pointer to be set to the index of the leaf
* describing at least l2nb free blocks if sufficient * describing at least l2nb free blocks if sufficient
* free blocks are found. * free blocks are found.
* is_ctl - determines if the tree is of type ctl
* *
* RETURN VALUES: * RETURN VALUES:
* 0 - success * 0 - success
* -ENOSPC - insufficient free blocks. * -ENOSPC - insufficient free blocks.
*/ */
static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx) static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
{ {
int ti, n = 0, k, x = 0; int ti, n = 0, k, x = 0;
int max_size;
max_size = is_ctl ? CTLTREESIZE : TREESIZE;
/* first check the root of the tree to see if there is /* first check the root of the tree to see if there is
* sufficient free space. * sufficient free space.
@ -2956,6 +2960,8 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx)
/* sufficient free space found. move to the next /* sufficient free space found. move to the next
* level (or quit if this is the last level). * level (or quit if this is the last level).
*/ */
if (x + n > max_size)
return -ENOSPC;
if (l2nb <= tp->dmt_stree[x + n]) if (l2nb <= tp->dmt_stree[x + n])
break; break;
} }