jfs: Add a sanity check for budmin

[PATCH] jfs: Add a sanity check for budmin
Posted by Edward Adam Davis 1 week, 5 days ago
In a corrupted file system image, the budmin value is less than 0,
which causes the lazycommit thread to report an out-of-bounds error
when retrieving the buddy size in dbJoin [1].

Add a check for potentially negative budmin to avoid the problem in [1].

[1]
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
Call Trace:
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_dmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..8f8084756e32 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */
-- 
2.43.0