Commit 0c66ebbb authored Oct 25, 2024 by Edward Adam Davis Committed by Yifan Qiao Oct 25, 2024

jfs: check if leafidx greater than num leaves per dmap tree

stable inclusion
from stable-v6.6.55
commit 7fff9a9f866e99931cf6fa260288e55d01626582
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAK
CVE: CVE-2024-49902

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7fff9a9f866e99931cf6fa260288e55d01626582



--------------------------------

[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ]

syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.

Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.

Reported-and-tested-by:  <syzbot+dca05492eff41f604890@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890


Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent aabf92a1

fs/jfs/jfs_dmap.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -2944,9 +2944,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
		static int dbFindLeaf(dmtree_t tp, int l2nb, int leafidx, bool is_ctl)
		{
		int ti, n = 0, k, x = 0;
		int max_size;
		int max_size, max_idx;

		max_size = is_ctl ? CTLTREESIZE : TREESIZE;
		max_idx = is_ctl ? LPERCTL : LPERDMAP;

		/* first check the root of the tree to see if there is
		* sufficient free space.
		@@ -2978,6 +2979,8 @@ static int dbFindLeaf(dmtree_t tp, int l2nb, int leafidx, bool is_ctl)
		*/
		assert(n < 4);
		}
		if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
		return -ENOSPC;

		/* set the return to the leftmost leaf describing sufficient
		* free space.