diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-11-21 09:59:59 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-11-21 09:59:59 -0800 |
commit | fc39fb56917bb3cb53e99560ca3612a84456ada2 (patch) | |
tree | 9a25ec524e597451fd95ca0a209c6113d73b2a23 /fs | |
parent | 6a550ae5560f7237c82dc9c0c128ba1d593c4dde (diff) | |
parent | a174706ba4dad895c40b1d2277bade16dfacdcd9 (diff) |
Merge tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy
Pull jfs updates from Dave Kleikamp:
"A few more patches to add sanity checks in jfs"
* tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy:
jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
jfs: xattr: check invalid xattr size more strictly
jfs: fix array-index-out-of-bounds in jfs_readdir
jfs: fix shift-out-of-bounds in dbSplit
jfs: array-index-out-of-bounds fix in dtReadFirst
Diffstat (limited to 'fs')
-rw-r--r-- | fs/jfs/jfs_dmap.c | 6 | ||||
-rw-r--r-- | fs/jfs/jfs_dtree.c | 15 | ||||
-rw-r--r-- | fs/jfs/xattr.c | 2 |
3 files changed, 22 insertions, 1 deletions
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 3ab410059dc2..f9009e4f9ffd 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -1820,6 +1820,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results) return -EIO; dp = (struct dmap *) mp->data; + if (dp->tree.budmin < 0) + return -EIO; + /* try to allocate the blocks. */ rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results); @@ -2888,6 +2891,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) /* bubble the new value up the tree as required. */ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { + if (lp == 0) + break; + /* get the index of the first leaf of the 4 leaf * group containing the specified leaf (leafno). */ diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 5d3127ca68a4..8f85177f284b 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -2891,6 +2891,14 @@ int jfs_readdir(struct file *file, struct dir_context *ctx) stbl = DT_GETSTBL(p); for (i = index; i < p->header.nextindex; i++) { + if (stbl[i] < 0 || stbl[i] > 127) { + jfs_err("JFS: Invalid stbl[%d] = %d for inode %ld, block = %lld", + i, stbl[i], (long)ip->i_ino, (long long)bn); + free_page(dirent_buf); + DT_PUTPAGE(mp); + return -EIO; + } + d = (struct ldtentry *) & p->slot[stbl[i]]; if (((long) jfs_dirent + d->namlen + 1) > @@ -3086,6 +3094,13 @@ static int dtReadFirst(struct inode *ip, struct btstack * btstack) /* get the leftmost entry */ stbl = DT_GETSTBL(p); + + if (stbl[0] < 0 || stbl[0] > 127) { + DT_PUTPAGE(mp); + jfs_error(ip->i_sb, "stbl[0] out of bound\n"); + return -EIO; + } + xd = (pxd_t *) & p->slot[stbl[0]]; /* get the child page block address */ diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c index 0fb05e314edf..24afbae87225 100644 --- a/fs/jfs/xattr.c +++ b/fs/jfs/xattr.c @@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) size_check: if (EALIST_SIZE(ea_buf->xattr) != ea_size) { - int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); + int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); printk(KERN_ERR "ea_get: invalid extended attribute\n"); print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, |