dummy/linux-stable-mirror
1
0
Fork 1
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ synced 2025-04-20 05:08:28 +09:00
Code Issues Packages Projects Releases Wiki Activity
linux-stable-mirror/fs/jfs
History
Roman Smirnov 2d9709690f jfs: add index corruption check to DT_GETPAGE() 
commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.

If the file system is corrupted, the header.stblindex variable
may become greater than 127. Because of this, an array access out
of bounds may occur:

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
index 237 is out of range for type 'struct dtslot[128]'
CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
 dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
 jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
 iterate_dir+0x571/0x800 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>
---[ end trace ]---

Add a stblindex check for corruption.

Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-04-10 14:39:40 +02:00
..
acl.c
jfs: convert to ctime accessor functions
2023-07-24 10:30:01 +02:00
file.c
splice: Use filemap_splice_read() instead of generic_file_splice_read()
2023-05-24 08:42:17 -06:00
inode.c
fs: Convert aops->write_begin to take a folio
2024-08-07 11:33:21 +02:00
ioctl.c
jfs: convert to ctime accessor functions
2023-07-24 10:30:01 +02:00
jfs_acl.h
fs: port ->set_acl() to pass mnt_idmap
2023-01-19 09:24:27 +01:00
jfs_btree.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_debug.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
jfs_debug.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_dinode.h
jfs: define xtree root and page independently
2023-10-13 10:39:25 -05:00
jfs_discard.c
jfs: Fix uaf in dbFreeBits
2024-08-27 11:32:43 -05:00
jfs_discard.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_dmap.c
jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
2024-12-14 20:03:52 +01:00
jfs_dmap.h
jfs: Fix array index bounds check in dbAdjTree
2020-11-13 16:03:07 -06:00
jfs_dtree.c
jfs: add index corruption check to DT_GETPAGE()
2025-04-10 14:39:40 +02:00
jfs_dtree.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_extent.c
jfs: validate max amount of blocks before allocation.
2023-08-29 12:25:47 -05:00
jfs_extent.h
jfs: remove unused declarations for jfs
2022-10-18 08:50:26 -05:00
jfs_filsys.h
jfs: jfs_dmap: Validate db_l2nbperpage while mounting
2023-06-20 12:37:50 -05:00
jfs_imap.c
jfs: fix out-of-bounds in dbNextAG() and diAlloc()
2024-08-23 14:15:00 -05:00
jfs_imap.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_incore.h
quota: Properly annotate i_dquot arrays with __rcu
2024-02-08 12:04:59 +01:00
jfs_inode.c
jfs: convert to new timestamp accessors
2023-10-18 14:08:23 +02:00
jfs_inode.h
fs: port ->fileattr_set() to pass mnt_idmap
2023-01-19 09:24:27 +01:00
jfs_lock.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_logmgr.c
jfs: Change metapage->page to metapage->folio
2024-05-27 20:37:06 -05:00
jfs_logmgr.h
jfs: port block device access to file
2024-02-25 12:05:26 +01:00
jfs_metapage.c
jfs: Remove use of folio error flag
2024-05-27 20:37:06 -05:00
jfs_metapage.h
jfs: Change metapage->page to metapage->folio
2024-05-27 20:37:06 -05:00
jfs_mount.c
jfs: port block device access to file
2024-02-25 12:05:26 +01:00
jfs_superblock.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_txnmgr.c
jfs: Add missing set_freezable() for freezable kthread
2024-01-02 11:06:52 -06:00
jfs_txnmgr.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_types.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_umount.c
jfs: Fix a typo in function jfs_umount
2022-11-10 15:08:00 -06:00
jfs_unicode.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
jfs_unicode.h
fs/jfs: Use common ucs2 upper case table
2023-08-30 08:55:52 -05:00
jfs_xattr.h
jfs: move jfs_xattr_handlers to .rodata
2023-10-09 16:24:19 +02:00
jfs_xtree.c
jfs: define xtree root and page independently
2023-10-13 10:39:25 -05:00
jfs_xtree.h
jfs: define xtree root and page independently
2023-10-13 10:39:25 -05:00
Kconfig
22 smb3/cifs client fixes and two related changes (for unicode mapping)
2023-08-30 21:01:40 -07:00
Makefile
fs/jfs: Use common ucs2 upper case table
2023-08-30 08:55:52 -05:00
namei.c
jfs: convert to new timestamp accessors
2023-10-18 14:08:23 +02:00
resize.c
jfs: use sb_bdev_nr_blocks
2021-10-18 14:43:23 -06:00
super.c
\n
2024-03-13 14:30:58 -07:00
symlink.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
xattr.c
jfs: fix slab-out-of-bounds read in ea_get()
2025-04-10 14:39:40 +02:00