Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit

From: Dave Kleikamp
Date: Tue Oct 03 2023 - 15:16:39 EST

Next message: tip-bot2 for Uros Bizjak: "[tip: perf/core] perf/x86/rapl: Use local64_try_cmpxchg in rapl_event_update()"
Previous message: Ian Rogers: "[PATCH v2 2/2] bpftool: Align bpf_load_and_run_opts insns and data"
In reply to: Manas Ghandat: "Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit"
Next in thread: Manas Ghandat: "Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/19/23 10:55AM, Manas Ghandat wrote:

Currently there is no check for out of bound access for xad in the
struct xtpage_t. Added the required check at various places for the same

This won't work for the same reason I mentioned here:
https://lore.kernel.org/lkml/36683767-ad6c-477b-8b46-f10be2ad55d2@xxxxxxxxxx/

The size of the xad array can be either XTROOTMAXSLOT or XTPAGEMAXSLOT depending on whether it is the root, imbedded in the inode, or not. It is currently declared with the smaller value so we can use xtpage_t within the inode.

I had promised to address this, but haven't gotten to it yet. I'll try to carve out some time to do that.

Thanks,
Shaggy

Signed-off-by: Manas Ghandat <ghandatmanas@xxxxxxxxx>
Reported-by: syzbot+0558d19c373e44da3c18@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=0558d19c373e44da3c18
Fixes: df0cc57e057f
---
fs/jfs/jfs_txnmgr.c | 4 ++++
fs/jfs/jfs_xtree.c | 6 ++++++
2 files changed, 10 insertions(+)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index ce4b4760fcb1..6c6640942bed 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -1722,6 +1722,10 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd,
jfs_err("xtLog: lwm > next");
goto out;
}
+ if (lwm >= XTROOTMAXSLOT) {
+ jfs_err("xtLog: lwm out of range");
+ goto out;
+ }
tlck->flag |= tlckUPDATEMAP;
xadlock->flag = mlckALLOCXADLIST;
xadlock->count = next - lwm;
diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c
index 2d304cee884c..57569c52663e 100644
--- a/fs/jfs/jfs_xtree.c
+++ b/fs/jfs/jfs_xtree.c
@@ -357,6 +357,9 @@ static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp,
for (base = XTENTRYSTART; lim; lim >>= 1) {
index = base + (lim >> 1);
+ if (index >= XTROOTMAXSLOT)
+ goto out;
+
XT_CMP(cmp, xoff, &p->xad[index], t64);
if (cmp == 0) {
/*
@@ -618,6 +621,9 @@ int xtInsert(tid_t tid, /* transaction id */
memmove(&p->xad[index + 1], &p->xad[index],
(nextindex - index) * sizeof(xad_t));
+ if (index >= XTROOTMAXSLOT)
+ goto out;
+
/* insert the new entry: mark the entry NEW */
xad = &p->xad[index];
XT_PUTENTRY(xad, xflag, xoff, xlen, xaddr);

Next message: tip-bot2 for Uros Bizjak: "[tip: perf/core] perf/x86/rapl: Use local64_try_cmpxchg in rapl_event_update()"
Previous message: Ian Rogers: "[PATCH v2 2/2] bpftool: Align bpf_load_and_run_opts insns and data"
In reply to: Manas Ghandat: "Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit"
Next in thread: Manas Ghandat: "Re: [PATCH] jfs : fs array-index-out-of-bounds in txCommit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]