1. Patchew
  2. linux
  3. View series

[PATCH] jfs: Add check for array bounds in dtDelete

Pedro Demarchi Gomes posted 1 patch 1 week, 5 days ago 
fs/jfs/jfs_dtree.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
[PATCH] jfs: Add check for array bounds in dtDelete
Posted by Pedro Demarchi Gomes 1 week, 5 days ago 
stbl is s8 but it must contain offsets into slot which can go from 0 to
127.

Add a bound check for that error inside dtDelete function.

Reported-by: syzbot+4f9c823a6f63d87491ba@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4f9c823a6f63d87491ba
Signed-off-by: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
---
 fs/jfs/jfs_dtree.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index ab11849cf9cc..c200b37f4562 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -2129,11 +2129,17 @@ int dtDelete(tid_t tid,
 					next_index = -1;
 				else {
 					stbl = DT_GETSTBL(np);
-					ldtentry =
-					    (struct ldtentry *) & np->
-					    slot[stbl[0]];
-					next_index =
-					    le32_to_cpu(ldtentry->index);
+					if (stbl[0] < 0 || stbl[0] >= DTPAGEMAXSLOT) {
+						jfs_err("JFS: Invalid stbl[0] = %d for inode %ld, block = %lld",
+							stbl[0], (long)ip->i_ino, (long long)le64_to_cpu(p->header.next));
+						next_index = -1;
+					} else {
+						ldtentry =
+							(struct ldtentry *) & np->
+							slot[stbl[0]];
+						next_index =
+							le32_to_cpu(ldtentry->index);
+					}
 					DT_PUTPAGE(nmp);
 				}
 			}
-- 
2.39.5

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.