[PATCH OLK-5.10] jfs: check if leafidx greater than num leaves per dmap tree - Kernel

25 Oct 2024

From: Edward Adam Davis eadavis@qq.com
stable inclusion
from stable-v5.10.227
commit 2451e5917c56be45d4add786e2a059dd9c2c37c4
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAK
CVE: CVE-2024-49902
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ]
syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.
Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.
Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890
Signed-off-by: Edward Adam Davis eadavis@qq.com
Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Yifan Qiao qiaoyifan4@huawei.com
---
 fs/jfs/jfs_dmap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 2bbdae936076..fa12fc979799 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3011,9 +3011,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
 {
    int ti, n = 0, k, x = 0;
-	int max_size;
+	int max_size, max_idx;
max_size = is_ctl ? CTLTREESIZE : TREESIZE;
+	max_idx = is_ctl ? LPERCTL : LPERDMAP;
/* first check the root of the tree to see if there is
     * sufficient free space.
@@ -3045,6 +3046,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
    	 */
    	assert(n < 4);
    }
+	if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
+		return -ENOSPC;
/* set the return to the leftmost leaf describing sufficient
     * free space.
-- 
2.39.2


    