Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete

From: Leonardo Hirata
Date: Tue Mar 18 2025 - 22:26:33 EST

Next message: I Hsin Cheng: "[PATCH v2] rust: sync: rcu: Mark Guard methods as inline"
Previous message: Lu Baolu: "[PATCH 3/3] iommu/vt-d: Fix possible circular locking dependency"
In reply to: syzbot: "[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete"
Next in thread: syzbot: "Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test

From d2015dde38d6f730eabdc613eb26f7c59daa9cab Mon Sep 17 00:00:00 2001
From: Leonardo Felipe Takao Hirata <leo.fthirata@xxxxxxxxx>
Date: Tue, 18 Mar 2025 22:03:57 -0300
Subject: [PATCH] jfs: Add check for array bounds in dtReadFirst

Add a check for index out of bound.

Signed-off-by: Leonardo Felipe Takao Hirata <leo.fthirata@xxxxxxxxx>
---
fs/jfs/jfs_dtree.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 8f85177f284b..4e29f8c7d624 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -2128,6 +2128,13 @@ int dtDelete(tid_t tid,
next_index = -1;
else {
stbl = DT_GETSTBL(np);
+
+ if (stbl[0] < 0 || stbl[0] > 127) {
+ DT_PUTPAGE(mp);
+ jfs_error(ip->i_sb, "stbl[0] out of bound\n");
+ return -EIO;
+ }
+
ldtentry =
(struct ldtentry *) & np->
slot[stbl[0]];
--
2.43.0

Next message: I Hsin Cheng: "[PATCH v2] rust: sync: rcu: Mark Guard methods as inline"
Previous message: Lu Baolu: "[PATCH 3/3] iommu/vt-d: Fix possible circular locking dependency"
In reply to: syzbot: "[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete"
Next in thread: syzbot: "Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]