1. Patchew
  2. linux
  3. View series

[PATCH v2] jfs: fix divide error in dbNextAG

Pavel Skripkin posted 1 patch 4 years, 3 months ago 
fs/jfs/jfs_dmap.c | 7 +++++++
1 file changed, 7 insertions(+)
[PATCH v2] jfs: fix divide error in dbNextAG
Posted by Pavel Skripkin 4 years, 3 months ago 
Syzbot reported divide error in dbNextAG(). The problem was in missing
validation check for malicious image.

Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
validation checks, but dbNextAG() blindly use bmp->db_numag in divide
expression

Fix it by validating bmp->db_numag in dbMount() and return an error if
image is malicious

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---

Changes since v1:
	- Add missing clean up in case of error

---
 fs/jfs/jfs_dmap.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 91f4ec93dab1..d8502f4989d9 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -148,6 +148,7 @@ static const s8 budtab[256] = {
  *	0	- success
  *	-ENOMEM	- insufficient memory
  *	-EIO	- i/o error
+ *	-EINVAL - wrong bmap data
  */
 int dbMount(struct inode *ipbmap)
 {
@@ -179,6 +180,12 @@ int dbMount(struct inode *ipbmap)
 	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
 	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
 	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+	if (!bmp->db_numag) {
+		release_metapage(mp);
+		kfree(bmp);
+		return -EINVAL;
+	}
+
 	bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
 	bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
 	bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
-- 
2.35.1
Re: [PATCH v2] jfs: fix divide error in dbNextAG
Posted by Dave Kleikamp 4 years, 3 months ago 
Thanks. I'll push this for 5.18.

Shaggy

On 3/19/22 2:30PM, Pavel Skripkin wrote:
> Syzbot reported divide error in dbNextAG(). The problem was in missing
> validation check for malicious image.
> 
> Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
> validation checks, but dbNextAG() blindly use bmp->db_numag in divide
> expression
> 
> Fix it by validating bmp->db_numag in dbMount() and return an error if
> image is malicious
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
> 
> Changes since v1:
> 	- Add missing clean up in case of error
> 
> ---
>   fs/jfs/jfs_dmap.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 91f4ec93dab1..d8502f4989d9 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -148,6 +148,7 @@ static const s8 budtab[256] = {
>    *	0	- success
>    *	-ENOMEM	- insufficient memory
>    *	-EIO	- i/o error
> + *	-EINVAL - wrong bmap data
>    */
>   int dbMount(struct inode *ipbmap)
>   {
> @@ -179,6 +180,12 @@ int dbMount(struct inode *ipbmap)
>   	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
>   	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
>   	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
> +	if (!bmp->db_numag) {
> +		release_metapage(mp);
> +		kfree(bmp);
> +		return -EINVAL;
> +	}
> +
>   	bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
>   	bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
>   	bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.