Unverified Commit 587d21c8 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8231 CVE-2023-52804

Merge Pull Request from: @ci-robot 
 
PR sync from: Yifan Qiao <qiaoyifan4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TOBYYR3NMHRHXJXGYZ3T3FOILDP4QTTZ/ 
Dongliang Mu (1):
  fs: jfs: fix shift-out-of-bounds in dbAllocAG

Juntong Deng (1):
  fs/jfs: Add validity check for db_maxag and db_agpref


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/I9RG40 
 
Link:https://gitee.com/openeuler/kernel/pulls/8231

 

Reviewed-by: default avatarzhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents edc29d08 95fb5506
Loading
Loading
Loading
Loading
+22 −6
Original line number Diff line number Diff line
@@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap)
	struct bmap *bmp;
	struct dbmap_disk *dbmp_le;
	struct metapage *mp;
	int i;
	int i, err;

	/*
	 * allocate/initialize the in-memory bmap descriptor
@@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap)
			   BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
			   PSIZE, 0);
	if (mp == NULL) {
		kfree(bmp);
		return -EIO;
		err = -EIO;
		goto err_kfree_bmp;
	}

	/* copy the on-disk bmap descriptor to its in-memory version. */
@@ -181,19 +181,29 @@ int dbMount(struct inode *ipbmap)
	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
	if (!bmp->db_numag) {
		release_metapage(mp);
		kfree(bmp);
		return -EINVAL;
		err = -EINVAL;
		goto err_release_metapage;
	}

	bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
	bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
	bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
	if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 ||
		bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) {
		err = -EINVAL;
		goto err_release_metapage;
	}

	bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
	bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
	bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
	bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
	bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
	if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
		err = -EINVAL;
		goto err_release_metapage;
	}

	for (i = 0; i < MAXAG; i++)
		bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
	bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
@@ -214,6 +224,12 @@ int dbMount(struct inode *ipbmap)
	BMAP_LOCK_INIT(bmp);

	return (0);

err_release_metapage:
	release_metapage(mp);
err_kfree_bmp:
	kfree(bmp);
	return err;
}