From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Rustam Kovhaev <rkovhaev@gmail.com>,
Jan Kara <jack@suse.cz>,
syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
Subject: [PATCH 4.4 11/19] reiserfs: add check for an invalid ih_entry_count
Date: Thu, 7 Jan 2021 15:16:36 +0100 [thread overview]
Message-ID: <20210107140828.109909866@linuxfoundation.org> (raw)
In-Reply-To: <20210107140827.584658199@linuxfoundation.org>
From: Rustam Kovhaev <rkovhaev@gmail.com>
commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream.
when directory item has an invalid value set for ih_entry_count it might
trigger use-after-free or out-of-bounds read in bin_search_in_dir_item()
ih_entry_count * IH_SIZE for directory item should not be larger than
ih_item_len
Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com
Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/stree.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -453,6 +453,12 @@ static int is_leaf(char *buf, int blocks
"(second one): %h", ih);
return 0;
}
+ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
+ reiserfs_warning(NULL, "reiserfs-5093",
+ "item entry count seems wrong %h",
+ ih);
+ return 0;
+ }
prev_location = ih_location(ih);
}
next prev parent reply other threads:[~2021-01-07 14:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-07 14:16 [PATCH 4.4 00/19] 4.4.250-rc1 review Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 01/19] ALSA: hda/ca0132 - Fix work handling in delayed HP detection Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 02/19] ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 03/19] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 04/19] ALSA: hda/realtek - Support Dell headset mode for ALC3271 Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 05/19] ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 06/19] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 07/19] s390/dasd: fix hanging device offline processing Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 08/19] USB: serial: digi_acceleport: fix write-wakeup deadlocks Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 09/19] uapi: move constants from <linux/kernel.h> to <linux/const.h> Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 10/19] of: fix linker-section match-table corruption Greg Kroah-Hartman
2021-01-07 14:16 ` Greg Kroah-Hartman [this message]
2021-01-07 14:16 ` [PATCH 4.4 12/19] misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 13/19] media: gp8psk: initialize stats at power control logic Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 14/19] ALSA: seq: Use bool for snd_seq_queue internal flags Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 15/19] module: set MODULE_STATE_GOING state when a module fails to load Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 16/19] quota: Dont overflow quota file offsets Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 17/19] powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 18/19] module: delay kobject uevent until after module init call Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.4 19/19] iio:magnetometer:mag3110: Fix alignment and data leak issues Greg Kroah-Hartman
2021-01-08 1:13 ` [PATCH 4.4 00/19] 4.4.250-rc1 review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210107140828.109909866@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=rkovhaev@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.