UBSAN: array-index-out-of-bounds in dtInsertEntry
From: Ghanshyam Agrawal
Date: Thu Oct 10 2024 - 09:14:40 EST
#syz test
From bdc956a38762cda97b69b164f55cdb94f6f9cbe3 Mon Sep 17 00:00:00 2001
From: Ghanshyam Agrawal <ghanshyam1898@xxxxxxxxx>
Date: Thu, 10 Oct 2024 18:36:43 +0530
Subject: [PATCH] jfs: fix array-index-out-of-bounds in dtInsertEntry
To: shaggy@xxxxxxxxxx,
osmtendev@xxxxxxxxx,
ghandatmanas@xxxxxxxxx,
eadavis@xxxxxx,
ghanshyam1898@xxxxxxxxx
Cc: jfs-discussion@xxxxxxxxxxxxxxxxxxxxx,
linux-kernel@xxxxxxxxxxxxxxx
The value of p->header.freelist can be less than zero which
causes an error in dtInsertEntry. Added a check in dtInsert
to address it.
Reported-by: syzbot+5f7f0caf9979e9d09ff8@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=5f7f0caf9979e9d09ff8
Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@xxxxxxxxx>
---
fs/jfs/jfs_dtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 5d3127ca68a4..51bb3e14551b 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -834,7 +834,7 @@ int dtInsert(tid_t tid, struct inode *ip,
* the full page.
*/
DT_GETSEARCH(ip, btstack->top, bn, mp, p, index);
- if (p->header.freelist == 0)
+ if (p->header.freelist <= 0)
return -EINVAL;
/*
--
2.34.1