jfs: fix uninit-value read in BT_STACK_DUMP

[PATCH] jfs: fix uninit-value read in BT_STACK_DUMP

Tristan Madani posted 1 patch 1 month, 4 weeks ago

Download mbox

fs/jfs/jfs_btree.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Expand all Fold all

[PATCH] jfs: fix uninit-value read in BT_STACK_DUMP

Posted by Tristan Madani 1 month, 4 weeks ago

From: Tristan Madani <tristan@talencesecurity.com>

BT_STACK_DUMP() iterates over MAXTREEHEIGHT entries in the btstack
regardless of how many entries were actually pushed. This reads
uninitialized stack entries beyond the current depth.

Fix by computing the actual depth from btstack->top and limiting the
loop to only initialized entries.

Reported-by: syzbot+ba5f49027aace342d24d@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_btree.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_btree.h b/fs/jfs/jfs_btree.h
index ce055ef50cd35..26dd5acddcfeb 100644
--- a/fs/jfs/jfs_btree.h
+++ b/fs/jfs/jfs_btree.h
@@ -131,8 +131,10 @@ struct btstack {
 static inline void BT_STACK_DUMP(struct btstack *btstack)
 {
 	int i;
+	int depth = btstack->top - btstack->stack;
+
 	printk("btstack dump:\n");
-	for (i = 0; i < MAXTREEHEIGHT; i++)
+	for (i = 0; i < depth; i++)
 		printk(KERN_ERR "bn = %Lx, index = %d\n",
 		       (long long)btstack->stack[i].bn,
 		       btstack->stack[i].index);
-- 
2.47.3