[PATCH] jfs : fix shift-out-of-bounds in dbUpdatePMap

From: Manas Ghandat <hidden>
Date: 2023-08-27 05:06:28
Also in: lkml
Subsystem: filesystems (vfs and infrastructure), jfs filesystem, the rest · Maintainers: Alexander Viro, Christian Brauner, Dave Kleikamp, Linus Torvalds

Currently there is no bound check for number of logical blocks per
page (bmp->db_l2nbperpage). Added the required bound check for the
calculation of dmap.

Reported-by: syzbot+91ad2b52815a08caf4ea@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=91ad2b52815a08caf4ea
Fixes: 4d81715fc5df ("[PATCH] fs/jfs: Conversion to generic boolean")
Signed-off-by: Manas Ghandat <redacted>
---
 fs/jfs/jfs_dmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a3eb1e826947..6a5df296fdc8 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c

@@ -467,6 +467,10 @@ dbUpdatePMap(struct inode *ipbmap,
 	lastlblkno = 0;
 	for (rem = nblocks; rem > 0; rem -= nblks, blkno += nblks) {
 		/* get the buffer for the current dmap. */
+
+		if (bmp->db_l2nbperpage > L2BPERDMAP)
+			return -EIO;
+
 		lblkno = BLKTODMAP(blkno, bmp->db_l2nbperpage);
 		if (lblkno != lastlblkno) {
 			if (mp) {

-- 
2.37.2

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help