hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a1.2
sst-linux/fs/jfs
History
Roman Smirnov 78f06805cf jfs: add index corruption check to DT_GETPAGE() 
commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.

If the file system is corrupted, the header.stblindex variable
may become greater than 127. Because of this, an array access out
of bounds may occur:

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
index 237 is out of range for type 'struct dtslot[128]'
CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
 dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
 jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
 iterate_dir+0x571/0x800 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>
---[ end trace ]---

Add a stblindex check for corruption.

Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-04-10 14:33:43 +02:00
..
acl.c
file.c
inode.c
ioctl.c
jfs_acl.h
jfs_btree.h
jfs_debug.c
jfs_debug.h
jfs_dinode.h
jfs_discard.c jfs: Fix uaf in dbFreeBits 2024-10-17 15:21:44 +02:00
jfs_discard.h
jfs_dmap.c jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree 2024-12-14 19:54:43 +01:00
jfs_dmap.h
jfs_dtree.c jfs: add index corruption check to DT_GETPAGE() 2025-04-10 14:33:43 +02:00
jfs_dtree.h
jfs_extent.c
jfs_extent.h
jfs_filsys.h
jfs_imap.c jfs: fix out-of-bounds in dbNextAG() and diAlloc() 2024-10-17 15:20:52 +02:00
jfs_imap.h
jfs_incore.h
jfs_inode.c
jfs_inode.h
jfs_lock.h
jfs_logmgr.c
jfs_logmgr.h
jfs_metapage.c
jfs_metapage.h
jfs_mount.c jfs: fix uaf in jfs_evict_inode 2024-02-05 20:12:48 +00:00
jfs_superblock.h
jfs_txnmgr.c
jfs_txnmgr.h
jfs_types.h
jfs_umount.c
jfs_unicode.c
jfs_unicode.h
jfs_uniupr.c
jfs_xattr.h
jfs_xtree.c
jfs_xtree.h
Kconfig
Makefile
namei.c
resize.c
super.c
symlink.c
xattr.c jfs: fix slab-out-of-bounds read in ea_get() 2025-04-10 14:33:43 +02:00