Commit 4da955b0 authored by Jeongjun Park's avatar Jeongjun Park Committed by Jinjiang Tu
Browse files

jfs: fix out-of-bounds in dbNextAG() and diAlloc() 

stable inclusion
from stable-v5.10.227
commit 0338e66cba272351ca9d7d03f3628e390e70963b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQS5
CVE: CVE-2024-47723

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0338e66cba272351ca9d7d03f3628e390e70963b



--------------------------------

[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ]

In dbNextAG() , there is no check for the case where bmp->db_numag is
greater or same than MAXAG due to a polluted image, which causes an
out-of-bounds. Therefore, a bounds check should be added in dbMount().

And in dbNextAG(), a check for the case where agpref is greater than
bmp->db_numag should be added, so an out-of-bounds exception should be
prevented.

Additionally, a check for the case where agno is greater or same than
MAXAG should be added in diAlloc() to prevent out-of-bounds.

Reported-by: default avatarJeongjun Park <aha310510@gmail.com>
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarJeongjun Park <aha310510@gmail.com>
Signed-off-by: default avatarDave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarJinjiang Tu <tujinjiang@huawei.com>
parent 77bb487d

fs/jfs/jfs_dmap.c

+2 −2
Original line number Diff line number Diff line
@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) 
	}



	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);

	if (!bmp->db_numag) {

	if (!bmp->db_numag || bmp->db_numag >= MAXAG) {

		err = -EINVAL;

		goto err_release_metapage;

	}
@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) 
	 * average free space.

	 */

	for (i = 0 ; i < bmp->db_numag; i++, agpref++) {

		if (agpref == bmp->db_numag)

		if (agpref >= bmp->db_numag)

			agpref = 0;



		if (atomic_read(&bmp->db_active[agpref]))

fs/jfs/jfs_imap.c

+1 −1
Original line number Diff line number Diff line
@@ -1362,7 +1362,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) 
	/* get the ag number of this iag */

	agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));

	dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;

	if (agno < 0 || agno > dn_numag)

	if (agno < 0 || agno > dn_numag || agno >= MAXAG)

		return -EIO;



	if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {