Commit 0a43e363 authored Jan 08, 2025 by Ghanshyam Agrawal Committed by Heyuan Wang Jan 08, 2025

jfs: fix shift-out-of-bounds in dbSplit

stable inclusion
from stable-v5.10.231
commit df7c76636952670b31bd6c12b3aed3c502122273
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOT
CVE: CVE-2024-56597

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df7c76636952670b31bd6c12b3aed3c502122273



--------------------------------

[ Upstream commit a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ]

When dmt_budmin is less than zero, it causes errors
in the later stages. Added a check to return an error beforehand
in dbAllocCtl itself.

Reported-by:  <syzbot+b5ca8a249162c4b9a7d0@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=b5ca8a249162c4b9a7d0


Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Heyuan Wang <wangheyuan2@h-partners.com>

parent a6a98ae1

fs/jfs/jfs_dmap.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1888,6 +1888,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
		return -EIO;
		dp = (struct dmap *) mp->data;

		if (dp->tree.budmin < 0)
		return -EIO;

		/* try to allocate the blocks.
		*/
		rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results);