Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf
From: Manas Ghandat
Date: Thu Aug 31 2023 - 11:19:21 EST
I was wondering if we could implement a get_tree_size macro wherein we
could find the tree size so that we can do the comparison. SInce the
tp->dmt_stree is an array we can get its size and fix the out of bounds.
Would this thing work?
On 30/08/23 00:08, Dave Kleikamp wrote:
This won't work. dbFindLeaf() can be called from dbFindCtl() with
struct dmapctl whose stree index can be as high as CTLTREESIZE which
is larger than TREESIZE. A check against CTLTREESIZE might be better
than nothing at all but won't necessarily detect an overflow.
Currently, dbFindLeaf doesn't have anything to tell it which tree it
is working on.
We could pass in the treesize as an argument to dbFindCtl() if we
can't come up with something simpler.
Shaggy
Signed-off-by: Manas Ghandat <ghandatmanas@xxxxxxxxx>
Reported-by: syzbot+aea1ad91e854d0a83e04@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a14a0f18a4c4..5af17b2287be 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2948,6 +2948,10 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb,
int *leafidx)
/* sufficient free space found. move to the next
* level (or quit if this is the last level).
*/
+
+ if (x + n > TREESIZE)
+ return -ENOSPC;
+
if (l2nb <= tp->dmt_stree[x + n])
break;
}