[PATCH] jfs: fix array-index-out-of-bounds in dtInsertEntry

From: Ghanshyam Agrawal
Date: Thu Oct 10 2024 - 09:44:18 EST

Next message: Dmitry Baryshkov: "Re: [PATCH] soc: qcom: mark pd-mapper as broken"
Previous message: Lee Jones: "Re: (subset) [PATCH 17/35] mfd: atmel-smc: Reorganize kerneldoc parameter names"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The value of p->header.freelist can be less than zero which
causes an error in dtInsertEntry. Added a check in dtInsert
to address it.

Reported-by: syzbot+5f7f0caf9979e9d09ff8@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=5f7f0caf9979e9d09ff8
Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@xxxxxxxxx>
---
fs/jfs/jfs_dtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 5d3127ca68a4..51bb3e14551b 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -834,7 +834,7 @@ int dtInsert(tid_t tid, struct inode *ip,
* the full page.
*/
DT_GETSEARCH(ip, btstack->top, bn, mp, p, index);
- if (p->header.freelist == 0)
+ if (p->header.freelist <= 0)
return -EINVAL;

/*
--
2.34.1

Next message: Dmitry Baryshkov: "Re: [PATCH] soc: qcom: mark pd-mapper as broken"
Previous message: Lee Jones: "Re: (subset) [PATCH 17/35] mfd: atmel-smc: Reorganize kerneldoc parameter names"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]