Re: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch

From: Dan Carpenter
Date: Tue Oct 24 2023 - 06:46:47 EST

Next message: Huang, Kai: "Re: [PATCH v14 12/23] x86/virt/tdx: Allocate and set up PAMTs for TDMRs"
Previous message: Mark Rutland: "Re: [PATCH 1/2] stop_machine: Use non-atomic read multi_stop_data::state clearly"
Next in thread: kernel test robot: "Re: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Manas,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Manas-Ghandat/jfs-fix-slab-out-of-bounds-Read-in-dtSearch/20231017-152500
base: https://github.com/kleikamp/linux-shaggy jfs-next
patch link: https://lore.kernel.org/r/20231016171130.15952-1-ghandatmanas%40gmail.com
patch subject: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch
config: i386-randconfig-141-20231022 (https://download.01.org/0day-ci/archive/20231024/202310241724.Ed02yUz9-lkp@xxxxxxxxx/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce: (https://download.01.org/0day-ci/archive/20231024/202310241724.Ed02yUz9-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@xxxxxxxxx/

smatch warnings:
fs/jfs/jfs_dtree.c:636 dtSearch() warn: impossible condition '(stbl[index] > 128) => ((-128)-127 > 128)'

vim +636 fs/jfs/jfs_dtree.c

^1da177e4c3f41 Linus Torvalds 2005-04-16 567 int dtSearch(struct inode *ip, struct component_name * key, ino_t * data,
^1da177e4c3f41 Linus Torvalds 2005-04-16 568 struct btstack * btstack, int flag)
^1da177e4c3f41 Linus Torvalds 2005-04-16 569 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 570 int rc = 0;
^1da177e4c3f41 Linus Torvalds 2005-04-16 571 int cmp = 1; /* init for empty page */
^1da177e4c3f41 Linus Torvalds 2005-04-16 572 s64 bn;
^1da177e4c3f41 Linus Torvalds 2005-04-16 573 struct metapage *mp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 574 dtpage_t *p;
^1da177e4c3f41 Linus Torvalds 2005-04-16 575 s8 *stbl;
^^^^^^^^

^1da177e4c3f41 Linus Torvalds 2005-04-16 576 int base, index, lim;
^1da177e4c3f41 Linus Torvalds 2005-04-16 577 struct btframe *btsp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 578 pxd_t *pxd;
^1da177e4c3f41 Linus Torvalds 2005-04-16 579 int psize = 288; /* initial in-line directory */
^1da177e4c3f41 Linus Torvalds 2005-04-16 580 ino_t inumber;
^1da177e4c3f41 Linus Torvalds 2005-04-16 581 struct component_name ciKey;
^1da177e4c3f41 Linus Torvalds 2005-04-16 582 struct super_block *sb = ip->i_sb;
^1da177e4c3f41 Linus Torvalds 2005-04-16 583
6da2ec56059c3c Kees Cook 2018-06-12 584 ciKey.name = kmalloc_array(JFS_NAME_MAX + 1, sizeof(wchar_t),
6da2ec56059c3c Kees Cook 2018-06-12 585 GFP_NOFS);
09aaa749f637b1 Joe Perches 2007-11-13 586 if (!ciKey.name) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 587 rc = -ENOMEM;
^1da177e4c3f41 Linus Torvalds 2005-04-16 588 goto dtSearch_Exit2;
^1da177e4c3f41 Linus Torvalds 2005-04-16 589 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 590
^1da177e4c3f41 Linus Torvalds 2005-04-16 591
^1da177e4c3f41 Linus Torvalds 2005-04-16 592 /* uppercase search key for c-i directory */
^1da177e4c3f41 Linus Torvalds 2005-04-16 593 UniStrcpy(ciKey.name, key->name);
^1da177e4c3f41 Linus Torvalds 2005-04-16 594 ciKey.namlen = key->namlen;
^1da177e4c3f41 Linus Torvalds 2005-04-16 595
^1da177e4c3f41 Linus Torvalds 2005-04-16 596 /* only uppercase if case-insensitive support is on */
^1da177e4c3f41 Linus Torvalds 2005-04-16 597 if ((JFS_SBI(sb)->mntflag & JFS_OS2) == JFS_OS2) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 598 ciToUpper(&ciKey);
^1da177e4c3f41 Linus Torvalds 2005-04-16 599 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 600 BT_CLR(btstack); /* reset stack */
^1da177e4c3f41 Linus Torvalds 2005-04-16 601
^1da177e4c3f41 Linus Torvalds 2005-04-16 602 /* init level count for max pages to split */
^1da177e4c3f41 Linus Torvalds 2005-04-16 603 btstack->nsplit = 1;
^1da177e4c3f41 Linus Torvalds 2005-04-16 604
^1da177e4c3f41 Linus Torvalds 2005-04-16 605 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 606 * search down tree from root:
^1da177e4c3f41 Linus Torvalds 2005-04-16 607 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 608 * between two consecutive entries of <Ki, Pi> and <Kj, Pj> of
^1da177e4c3f41 Linus Torvalds 2005-04-16 609 * internal page, child page Pi contains entry with k, Ki <= K < Kj.
^1da177e4c3f41 Linus Torvalds 2005-04-16 610 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 611 * if entry with search key K is not found
^1da177e4c3f41 Linus Torvalds 2005-04-16 612 * internal page search find the entry with largest key Ki
^1da177e4c3f41 Linus Torvalds 2005-04-16 613 * less than K which point to the child page to search;
^1da177e4c3f41 Linus Torvalds 2005-04-16 614 * leaf page search find the entry with smallest key Kj
^1da177e4c3f41 Linus Torvalds 2005-04-16 615 * greater than K so that the returned index is the position of
^1da177e4c3f41 Linus Torvalds 2005-04-16 616 * the entry to be shifted right for insertion of new entry.
^1da177e4c3f41 Linus Torvalds 2005-04-16 617 * for empty tree, search key is greater than any key of the tree.
^1da177e4c3f41 Linus Torvalds 2005-04-16 618 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 619 * by convention, root bn = 0.
^1da177e4c3f41 Linus Torvalds 2005-04-16 620 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 621 for (bn = 0;;) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 622 /* get/pin the page to search */
^1da177e4c3f41 Linus Torvalds 2005-04-16 623 DT_GETPAGE(ip, bn, mp, psize, p, rc);
^1da177e4c3f41 Linus Torvalds 2005-04-16 624 if (rc)
^1da177e4c3f41 Linus Torvalds 2005-04-16 625 goto dtSearch_Exit1;
^1da177e4c3f41 Linus Torvalds 2005-04-16 626
^1da177e4c3f41 Linus Torvalds 2005-04-16 627 /* get sorted entry table of the page */
^1da177e4c3f41 Linus Torvalds 2005-04-16 628 stbl = DT_GETSTBL(p);
^1da177e4c3f41 Linus Torvalds 2005-04-16 629
^1da177e4c3f41 Linus Torvalds 2005-04-16 630 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 631 * binary search with search key K on the current page.
^1da177e4c3f41 Linus Torvalds 2005-04-16 632 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 633 for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 634 index = base + (lim >> 1);
^1da177e4c3f41 Linus Torvalds 2005-04-16 635
7812e358b5edde Manas Ghandat 2023-10-16 @636 if (stbl[index] > 128 || stbl[index] < 0)

If it's stbl is an s8 so it can't be > 128.

7812e358b5edde Manas Ghandat 2023-10-16 637 goto out;
7812e358b5edde Manas Ghandat 2023-10-16 638
^1da177e4c3f41 Linus Torvalds 2005-04-16 639 if (p->header.flag & BT_LEAF) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 640 /* uppercase leaf name to compare */
^1da177e4c3f41 Linus Torvalds 2005-04-16 641 cmp =
^1da177e4c3f41 Linus Torvalds 2005-04-16 642 ciCompare(&ciKey, p, stbl[index],
^1da177e4c3f41 Linus Torvalds 2005-04-16 643 JFS_SBI(sb)->mntflag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 644 } else {
^1da177e4c3f41 Linus Torvalds 2005-04-16 645 /* router key is in uppercase */
^1da177e4c3f41 Linus Torvalds 2005-04-16 646
^1da177e4c3f41 Linus Torvalds 2005-04-16 647 cmp = dtCompare(&ciKey, p, stbl[index]);

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Next message: Huang, Kai: "Re: [PATCH v14 12/23] x86/virt/tdx: Allocate and set up PAMTs for TDMRs"
Previous message: Mark Rutland: "Re: [PATCH 1/2] stop_machine: Use non-atomic read multi_stop_data::state clearly"
Next in thread: kernel test robot: "Re: [PATCH] jfs: fix slab-out-of-bounds Read in dtSearch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]