kernel / kernel-source

Clone
Source Code
GIT

Blame patches.kernel.org/6.2.5-003-fs-jfs-fix-shift-exponent-db_agl2size-negative.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   b91853ae2adeed3facf078034737d16827682895
  2.   patches.kernel.org
  3.   6.2.5-003-fs-jfs-fix-shift-exponent-db_agl2size-negative.patch
Blob History Raw
Jiri Slaby 892913 
From: Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net>
Jiri Slaby 892913 
Date: Thu, 3 Nov 2022 11:01:59 +0800
Jiri Slaby 892913 
Subject: [PATCH] fs/jfs: fix shift exponent db_agl2size negative
Jiri Slaby 892913 
References: bsc#1012628
Jiri Slaby 892913 
Patch-mainline: 6.2.5
Jiri Slaby 892913 
Git-commit: fad376fce0af58deebc5075b8539dc05bf639af3
Jiri Slaby 892913
Jiri Slaby 892913 
[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]
Jiri Slaby 892913
Jiri Slaby 892913 
As a shift exponent, db_agl2size can not be less than 0. Add the missing
Jiri Slaby 892913 
check to fix the shift-out-of-bounds bug reported by syzkaller:
Jiri Slaby 892913
Jiri Slaby 892913 
 UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
Jiri Slaby 892913 
 shift exponent -744642816 is negative
Jiri Slaby 892913
Jiri Slaby 892913 
Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com
Jiri Slaby 892913 
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Jiri Slaby 892913 
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Jiri Slaby 892913 
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Jiri Slaby 892913 
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jiri Slaby 892913 
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Jiri Slaby 892913 
---
Jiri Slaby 892913 
 fs/jfs/jfs_dmap.c | 3 ++-
Jiri Slaby 892913 
 1 file changed, 2 insertions(+), 1 deletion(-)
Jiri Slaby 892913
Jiri Slaby 892913 
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
Jiri Slaby 892913 
index 76583857..a3eb1e82 100644
Jiri Slaby 892913 
--- a/fs/jfs/jfs_dmap.c
Jiri Slaby 892913 
+++ b/fs/jfs/jfs_dmap.c
Jiri Slaby 892913 
@@ -193,7 +193,8 @@ int dbMount(struct inode *ipbmap)
Jiri Slaby 892913 
 	bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
Jiri Slaby 892913 
 	bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
Jiri Slaby 892913 
 	bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
Jiri Slaby 892913 
-	if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
Jiri Slaby 892913 
+	if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
Jiri Slaby 892913 
+	    bmp->db_agl2size < 0) {
Jiri Slaby 892913 
 		err = -EINVAL;
Jiri Slaby 892913 
 		goto err_release_metapage;
Jiri Slaby 892913 
 	}
Jiri Slaby 892913 
--
Jiri Slaby 892913 
2.35.3
Jiri Slaby 892913
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.