Re: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
From: Dave Kleikamp
Date: Wed Nov 01 2023 - 11:57:42 EST
On 10/11/23 9:39AM, Manas Ghandat wrote:
Currently while joining the leaf in a buddy system there is shift out
of bound error in calculation of BUDSIZE. Added the required check
to the BUDSIZE and fixed the documentation as well.
Looks good.
Thanks,
Shaggy
Reported-by: syzbot+411debe54d318eaed386@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=411debe54d318eaed386
Signed-off-by: Manas Ghandat <ghandatmanas@xxxxxxxxx>
---
fs/jfs/jfs_dmap.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 6b838d3ae7c2..baa97bda1c7a 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2730,7 +2730,9 @@ static int dbBackSplit(dmtree_t * tp, int leafno)
* leafno - the number of the leaf to be updated.
* newval - the new value for the leaf.
*
- * RETURN VALUES: none
+ * RETURN VALUES:
+ * 0 - success
+ * -EIO - i/o error
*/
static int dbJoin(dmtree_t * tp, int leafno, int newval)
{
@@ -2757,6 +2759,10 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval)
* get the buddy size (number of words covered) of
* the new value.
*/
+
+ if ((newval - tp->dmt_budmin) > BUDMIN)
+ return -EIO;
+
budsz = BUDSIZE(newval, tp->dmt_budmin);
/* try to join.