| Message ID | 20230620164700.11083-1-code@siddh.me |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp3819030vqr;
Tue, 20 Jun 2023 10:17:54 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7LZdEq0FKHr4hJ3ub7q1W9DbXKwtOCKz+IGIh2goIbggaU0SKSQZYjjXkz7Czf+DYYHq+c
X-Received: by 2002:a17:902:dacf:b0:1b6:7b75:60f with SMTP id
q15-20020a170902dacf00b001b67b75060fmr3032536plx.41.1687281473606;
Tue, 20 Jun 2023 10:17:53 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1687281473; cv=pass;
d=google.com; s=arc-20160816;
b=lrSFt2NGOdxEd+xJHp5dk1/REbtd6TtUCoozBteUcrngKQxOQRA+K5mcFWvjq/HtqH
EfJcouSS71MZfjhij7qSfGluMCsTjW3vFOjuLnZOkW+OlO297vFwA69ILduwmg4np3Nq
HntsZuuRQ1AfmD9O3mpnz5MoxgKidepEyUT9KGKImeAcZ8861InhbmNDZ+BV4jXRS7pE
WRR0M89do+UI5nzLt8zbar7oB/BwPRM8659TB3RZo0XgA0Mn/m1Ws5ExPp44/GG4vZAg
KZLFc8YPSik0IzQwpMc1bRsgaarf0H83nPoEKtvra9nrysE1kK3cdfZEXBrZ/ds+a63F
jRZQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version:date
:subject:message-id:cc:to:from:dkim-signature;
bh=2km/+FC5CJNIts5K1Qb08VHKBfl24zZT41xMIlQqDeY=;
b=XuC/KeP9lTOeS9/wf92NSmGwFqHa5KXmixJHbutgkFEUugyB+PYad20duGZKsZnNO8
HcJ/njryDWdIAg8C0ALrsaOmFalVPjZQIooCzbyWQwZPiEmSNP1Y6RGrY5/AYl4OptTd
xHDZln0Fu3gl9TXHTsvOs4R0QYNY1u6zRs2T4JpEhY4wdfHVL/DYRCSiP+RNQzxoV+ba
NJJ8qXcUyymk1yOqnZ1vyVahrh8/u0un+/PS6Y/12vvkQ5zXpd93mLBt2cyIjBDAFyYL
6/rGjNncQ+YYike4ILj5F+N8ZF51D6kiXYlHxzbhE7Os0+Cdu09kxrfYlIlWxsAHRdag
/CPA==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@siddh.me header.s=zmail header.b=UVMTwhtW;
arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me
dmarc=pass fromdomain=siddh.me>);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
e14-20020a170902cf4e00b001b04741042csi2162242plg.93.2023.06.20.10.17.39;
Tue, 20 Jun 2023 10:17:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@siddh.me header.s=zmail header.b=UVMTwhtW;
arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me
dmarc=pass fromdomain=siddh.me>);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siddh.me
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229930AbjFTQsB (ORCPT <rfc822;maxin.john@gmail.com> + 99 others);
Tue, 20 Jun 2023 12:48:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39712 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229671AbjFTQsA (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 20 Jun 2023 12:48:00 -0400
Received: from sender-of-o51.zoho.in (sender-of-o51.zoho.in [103.117.158.51])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FA4D12C;
Tue, 20 Jun 2023 09:47:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687279631; cv=none;
d=zohomail.in; s=zohoarc;
b=D4m11pFsGamxvO5rb0IOylq5LfxBXghIsnwdSlCMx8Asbt115Rht6BP5cKIhZVIYdYaLjtEAovUnZ6i4NjCzdfTzlC5DFz9sPXe+ugh2wwIjQJlJOo4JNHWgWPzGXMIi1KyZJ5fzoHpW8gk5Np47TTTnQOmlcta4HQkaw5z4l6E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in;
s=zohoarc;
t=1687279631;
h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To;
bh=2km/+FC5CJNIts5K1Qb08VHKBfl24zZT41xMIlQqDeY=;
b=DFekpnqb+jRlpIxgHgOT1GOgDm/vyvzDH2xWccFxYknzZx3j6ydrQBKoS9GDvUlaekI1ncPoS3WpAHRSJNRgPdaOVCtke8gGFHtg6X/NLLflfBH7sa8JJDCK5VG6RBWnMk21NBQqmm9QuE22borHfroVpF+K8YXQtEgEIooN+Wk=
ARC-Authentication-Results: i=1; mx.zohomail.in;
dkim=pass header.i=siddh.me;
spf=pass smtp.mailfrom=code@siddh.me;
dmarc=pass header.from=<code@siddh.me>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1687279631;
s=zmail; d=siddh.me; i=code@siddh.me;
h=From:From:To:To:Cc:Cc:Message-ID:Subject:Subject:Date:Date:MIME-Version:Content-Transfer-Encoding:Content-Type:Message-Id:Reply-To;
bh=2km/+FC5CJNIts5K1Qb08VHKBfl24zZT41xMIlQqDeY=;
b=UVMTwhtWvVf3N5MMxSdUrGbVHiK2b8fo3tBnEKSB/YYx1qthh2NVXOqnj5mOk/iJ
vd8fkHNKoCG5rKdSBfJjzFBtnUldRPaTwDFztavULupX7v5sBFuw7Z7r+ZDHOmZ3YTE
1irham1chcJTe9RSFwUfMX9UUVPcN2HgpmZJjBc8=
Received: from kampyooter.. (223.179.149.51 [223.179.149.51]) by mx.zoho.in
with SMTPS id 1687279629337809.8626610827803;
Tue, 20 Jun 2023 22:17:09 +0530 (IST)
From: Siddh Raman Pant <code@siddh.me>
To: Dave Kleikamp <shaggy@kernel.org>, Hoi Pok Wu <wuhoipok@gmail.com>,
Liu Shixin <liushixin2@huawei.com>,
Dongliang Mu <mudongliangabcd@gmail.com>
Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org,
syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com,
stable@vger.kernel.org, Dave Kleikamp <dave.kleikamp@oracle.com>
Message-ID: <20230620164700.11083-1-code@siddh.me>
Subject: [PATCH v3] jfs: jfs_dmap: Validate db_l2nbperpage while mounting
Date: Tue, 20 Jun 2023 22:17:00 +0530
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Content-Type: text/plain; charset=utf8
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767873743793865867?=
X-GMAIL-MSGID: =?utf-8?q?1769242858536698893?=
|
| Series |
[v3] jfs: jfs_dmap: Validate db_l2nbperpage while mounting
|
|
Commit Message
Siddh Raman Pant
June 20, 2023, 4:47 p.m. UTC
In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
number inside dbFree(). db_l2nbperpage, which is the log2 number of
blocks per page, is passed as an argument to BLKTODMAP which uses it
for shifting.
Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
too big. This happens because the large value is set without any
validation in dbMount() at line 181.
Thus, make sure that db_l2nbperpage is correct while mounting.
Max number of blocks per page = Page size / Min block size
=> log2(Max num_block per page) = log2(Page size / Min block size)
= log2(Page size) - log2(Min block size)
=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Cc: stable@vger.kernel.org
Suggested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Siddh Raman Pant <code@siddh.me>
---
Changes in v3:
- Fix typo in commit message (number of pages -> number of blocks per page).
Changes in v2:
- Fix upper bound as pointed out in v1 by Shaggy.
- Add an explanation for the same in commit message for completeness.
fs/jfs/jfs_dmap.c | 6 ++++++
fs/jfs/jfs_filsys.h | 2 ++
2 files changed, 8 insertions(+)
Comments
On 6/20/23 11:47AM, Siddh Raman Pant wrote: > In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block > number inside dbFree(). db_l2nbperpage, which is the log2 number of > blocks per page, is passed as an argument to BLKTODMAP which uses it > for shifting. > > Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is > too big. This happens because the large value is set without any > validation in dbMount() at line 181. > > Thus, make sure that db_l2nbperpage is correct while mounting. > > Max number of blocks per page = Page size / Min block size > => log2(Max num_block per page) = log2(Page size / Min block size) > = log2(Page size) - log2(Min block size) > > => Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE Thanks. Applied to jfs-next. > > Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 > Cc: stable@vger.kernel.org > Suggested-by: Dave Kleikamp <dave.kleikamp@oracle.com> > Signed-off-by: Siddh Raman Pant <code@siddh.me> > --- > Changes in v3: > - Fix typo in commit message (number of pages -> number of blocks per page). > > Changes in v2: > - Fix upper bound as pointed out in v1 by Shaggy. > - Add an explanation for the same in commit message for completeness. > > fs/jfs/jfs_dmap.c | 6 ++++++ > fs/jfs/jfs_filsys.h | 2 ++ > 2 files changed, 8 insertions(+) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index a3eb1e826947..da6a2bc6bf02 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap) > dbmp_le = (struct dbmap_disk *) mp->data; > bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); > bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); > + > bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); > + if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { > + err = -EINVAL; > + goto err_release_metapage; > + } > + > bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); > if (!bmp->db_numag) { > err = -EINVAL; > diff --git a/fs/jfs/jfs_filsys.h b/fs/jfs/jfs_filsys.h > index b5d702df7111..33ef13a0b110 100644 > --- a/fs/jfs/jfs_filsys.h > +++ b/fs/jfs/jfs_filsys.h > @@ -122,7 +122,9 @@ > #define NUM_INODE_PER_IAG INOSPERIAG > > #define MINBLOCKSIZE 512 > +#define L2MINBLOCKSIZE 9 > #define MAXBLOCKSIZE 4096 > +#define L2MAXBLOCKSIZE 12 > #define MAXFILESIZE ((s64)1 << 52) > > #define JFS_LINK_MAX 0xffffffff
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index a3eb1e826947..da6a2bc6bf02 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap) dbmp_le = (struct dbmap_disk *) mp->data; bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); + if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { + err = -EINVAL; + goto err_release_metapage; + } + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); if (!bmp->db_numag) { err = -EINVAL; diff --git a/fs/jfs/jfs_filsys.h b/fs/jfs/jfs_filsys.h index b5d702df7111..33ef13a0b110 100644 --- a/fs/jfs/jfs_filsys.h +++ b/fs/jfs/jfs_filsys.h @@ -122,7 +122,9 @@ #define NUM_INODE_PER_IAG INOSPERIAG #define MINBLOCKSIZE 512 +#define L2MINBLOCKSIZE 9 #define MAXBLOCKSIZE 4096 +#define L2MAXBLOCKSIZE 12 #define MAXFILESIZE ((s64)1 << 52) #define JFS_LINK_MAX 0xffffffff