Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbSplit

From: Edward Adam Davis
Date: Fri Jul 26 2024 - 21:13:30 EST

Next message: Hillf Danton: "Re: [syzbot] [f2fs?] WARNING in rcu_sync_dtor"
Previous message: Ian Rogers: "Re: [PATCH v3 0/5] Dump off-cpu samples directly"
In reply to: Edward Adam Davis: "[PATCH V2] jfs: check if leafidx greater than num leaves per dmap tree"
Next in thread: syzbot: "Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbSplit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

check dmt_leafidx < 0

#syz test: upstream 7846b618e0a4

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..516bac758053 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2976,6 +2976,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
*/
assert(n < 4);
}
+ if (le32_to_cpu(tp->dmt_leafidx) > LPERDMAP)
+ return -ENOSPC;

/* set the return to the leftmost leaf describing sufficient
* free space.

Next message: Hillf Danton: "Re: [syzbot] [f2fs?] WARNING in rcu_sync_dtor"
Previous message: Ian Rogers: "Re: [PATCH v3 0/5] Dump off-cpu samples directly"
In reply to: Edward Adam Davis: "[PATCH V2] jfs: check if leafidx greater than num leaves per dmap tree"
Next in thread: syzbot: "Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbSplit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]