From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97AC9E7D27B for ; Tue, 26 Sep 2023 10:25:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 054196B0179; Tue, 26 Sep 2023 06:25:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 003BD6B017E; Tue, 26 Sep 2023 06:25:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E0DF66B017F; Tue, 26 Sep 2023 06:25:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id C20616B0179 for ; Tue, 26 Sep 2023 06:25:03 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 6E325C12E0 for ; Tue, 26 Sep 2023 10:25:03 +0000 (UTC) X-FDA: 81278365686.19.2E2AEA8 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by imf06.hostedemail.com (Postfix) with ESMTP id 8CE3A18000C for ; Tue, 26 Sep 2023 10:25:01 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=iDrZOCSA; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf06.hostedemail.com: domain of twuufnxlz@gmail.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=twuufnxlz@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1695723901; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; b=00EzQjbelB7Z6kijCe8f1mY/V5HDg28+crhjd4kPdC1zychTNp5dV5bHqOQJPMLoHB5pwa /p3BDEq95EGYa5MphQNKgWN+kWFiDpCH687vHZlIUsbWQIw0xmmf/03BtA/6Cav+xmTfaF bQqC2VwBG1UOw+EOTu9dZxYv2K67hio= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=iDrZOCSA; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf06.hostedemail.com: domain of twuufnxlz@gmail.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=twuufnxlz@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1695723901; a=rsa-sha256; cv=none; b=XlDV5Z7r32ipAH4cul4LM8zR+pMvNxe3QRC99rQGnNXbNgpJBMmXQU/8pztISa5Cejg2Iv EGxU1X4VrbJ+x7Vl2Yobhf/5BJsFjDg0GrfXaTDmCTLwbwf1bHU41VPZgZyYJp4RLZE1uc HMpA47CcRchq+feBW0zvWhb/l+J1KCI= Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-274c05edb69so5135407a91.2 for ; Tue, 26 Sep 2023 03:25:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695723900; x=1696328700; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; b=iDrZOCSAXgRbtRNnl+vbdMLMV228PA0FnnspC/6h1o80ScFKAX7j4S7ZaQktS8Wsb6 iwWiIkoFQAzsLToIELH/CtEoJPAVQLxYSaKQpqbNvke22wbb+7nh3YN6g8vWZ1CeZOmS WgrXmHvJi/AAR4lyvbLamz11uD+PVSJOVqo9AdeJXyVFct9Kmmqj7O5SoOIKnnL290EG u+NzT7MhPww9hzOjxJ58XuYoF9rnFQiwoTZFKm3eS+5OUKTcHrgQB7KpDkrfa78fQojg KtEKGw4e/NaF9Z2i4faijv1GzblIXMPB1xXXYbZ15iV3NbvJgzgXV4xN1p7BsD2WccNq mfug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695723900; x=1696328700; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=belzVqUXupbj+p/ftaInrev5zFhyd2pVAAHE2DEJScA=; b=VU/+GR3TvE0H7T+YnyZFxrMKzlHKVsNtOgFbtVTPC04eY8suszMsXSbByvDZMVKNwl he3TAuP1be+an5CdRvOAdSfVDerGek6gkKCmom/DyX6AKW0+fgcW4xNqg1BvBOXn6W84 KxULzTHl4kXeNMC0pZeG+lq9tO8Y7E7Wdlhg4+B8k3ujGir6kKixEEtRemlEd9mfSvdr Myix11fkRdsvFLDpx8Ey1LsV3lQbXCwquT6Lz/wXy/a2HLtPLp+aKjIyfDX/LeSudO5s Hqlffg+aogzWhMyTyz4/9mAZ2UY8ADX9oMJudD/W/GVWEXC3zA/On6JU5nMPRBne9krp OU9g== X-Gm-Message-State: AOJu0Yx207TqMT6+bbEi7CnF1hToAbcFY/znj18Z2eAt3aD89YsoAjJh hV0R0MHBg7AFkpF1SwATv/Tct77yhQhrCSEI X-Google-Smtp-Source: AGHT+IE4bRabF4Tz8fVRFjoJCKeKdherUx2wMHpu1l6uFKHg1l6krNDijIoGangTlLVTiq+Cdp2VaA== X-Received: by 2002:a17:90a:f298:b0:269:6c5:11a7 with SMTP id fs24-20020a17090af29800b0026906c511a7mr6883549pjb.17.1695723900206; Tue, 26 Sep 2023 03:25:00 -0700 (PDT) Received: from pek-lxu-l1.wrs.com ([111.198.228.56]) by smtp.gmail.com with ESMTPSA id gk15-20020a17090b118f00b00274b9dd8519sm9623829pjb.35.2023.09.26.03.24.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 03:24:59 -0700 (PDT) From: Edward AD To: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com Cc: akpm@linux-foundation.org, hughd@google.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] fs/hfsplus: expand s_vhdr_buf size to avoid slab oob Date: Tue, 26 Sep 2023 18:24:55 +0800 Message-ID: <20230926102454.992535-2-twuufnxlz@gmail.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <000000000000820e380606161640@google.com> References: <000000000000820e380606161640@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 8CE3A18000C X-Stat-Signature: hhrofxn84nybnck7ky646rbf6zub5a8k X-HE-Tag: 1695723901-418640 X-HE-Meta: U2FsdGVkX19SDJ0Y+/Z7D1nzfxC4ADa5a/YIm+O5sRVR97uk0vmDQj9XIOpNxMtaQi+wxe0ZLvsq2VtEuJnOnq8tzu5Jhv3cHZSz/n8NJFMynxTR6wwF0309Yo7mpdwIXkWaQTkH8a9VFDI4aLFw+jbh3LpKjk9Qt5Vs8v4z++6T1aYQdlkzqMktSZzacghvkBgywJVyvONN90rWYCk/Yd4UCfluSHOsAzKYMxvSXEX5lKlfsr3nV//Z8s7V5gmDyhDQ8XM4RUBITSDYPkY9CT6y7LJ/XR23W+sTsg7cb7tFogwnkJOp5hpWF6KMlv6c6PkRP2daSCG1SPs9YqKnY6z46QFRRN/q81puHCrWkfNIodD203BtiowY4k1whU7gOdUBAxnwPNrtr+5l+01aofq5gdWE8vh6Ed27RqOwiGuI2bgZsw2gsu7sdWe684mX3SspP2Zj6nDsUDfXI5oIy4goXRKE/KC1xIVWWBNkI+9om43YCL35xzkfRPT6sq8OisxPmqdorhDvXVuiAhm58IDgdtekQUtgqUkWPTA9TXm+oX6i6TgXfQq/FWg3uxQhKpZZxsAm5crvOy54f2WWiUW9auowM4VkLEd4Zvq3chPXpYe4GFfRlPxyD/C38tAGfUV7wxElnHMEBd/Wh+Evo2Fdg3OPJeWsvq6+5MZlntnqGg5ghIt5eqJTffymqyidHrSC3lcHCGWcyXi0ZsJ/DE/5hoPh9gpAHwLWh/dyiD4+cOTcAkWj4S9E3Pj/v/BeI3yprdtfhxJQDZUYofERUwJ9b/6E7ssaSIaqczQ7rTL5ntWq2n0N8ulmZ2NVGiiRBBP6zhcckJSb7YMmNJm09GXQoYFjbta9XsZFQRKe+sFHXG8JfXJa6OmCxyPfgQpRBl6p0wkXWFvBOVit6OQdSwtiDb7JlZGtKY779NSme6746Gpin5TF5JlclllpB6G8smGqggRvVfgMaBHuCuJ Y3PuBhZJ VqpCPz2nuJiA7hlGS61j7bnw7GRc3pZ2a1+7R/x6/B1gPy6ctXgnAmknPActZYaXqjSk8DsgHYYkrjQuNwDHgORHgEhf7odR7KPSxaAOYiRck3gOD85CVqToGtgkq/UNvgeN7CxD/rK/S/pE2Oy2mig1JQaGk1uzITea2fN9lpL4ptB1s5GdvarhqCeA+4IGRDPfPwXES5RWMcfJyuoO0AEfy+2dW2y29gEKkt4N62W+Nm8kLrLv43PV0A0me1OvATa/YjtRQOTrSy61WddSRgt79LmOgj4JYi3cxtvUC7fyQHs7nrZybijYddgZw84CI1fHi54OoJJmEia1QSFwwNQZgh4qdJ5MTnNCthrDktMOiIpd5TAkjsnBAsIRTNwBLamGG6sp1zMHGs6L6QI0rOHjY2gZhfRJqHzkbiV6aqeCz1ZSz6hAfHi6bysGk5ryDxTPJui6BbiGHzEhchQofSBnZ6z0jkkZbXb66t5UBhRId+EnMvKgAOMlJqaRvVFLnrYo/pHu7k0CvpymrEZTclDzJrqRUTMNl77Ou3EPFYcJX94DO5BnUVrmWNF2QV8CT+5l/kAOrbM+BM/IV88ryGbXx35rSxEhRI8hTRiphEQcLfCiabDi0f1xvNox0Td63jAIHCzlBj4gV2Jc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The memory allocated to s_vhdr_buf in the function hfsplus-read_wrapper is too small, resulting in a slab out of bounds issue when copying data with copy_page_from_iter_atomic. When allocating memory to s_vhdr_buf, take the maximum value between hfsplus_min_io_size(sb) and PAGE_SIZE to avoid similar issues. Reported-and-tested-by: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com Signed-off-by: Edward AD --- fs/hfsplus/wrapper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c index 0b791adf02e5..56bee8dbe532 100644 --- a/fs/hfsplus/wrapper.c +++ b/fs/hfsplus/wrapper.c @@ -163,7 +163,7 @@ int hfsplus_read_wrapper(struct super_block *sb) struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb); struct hfsplus_wd wd; sector_t part_start, part_size; - u32 blocksize; + u32 blocksize, bufsize; int error = 0; error = -EINVAL; @@ -175,10 +175,11 @@ int hfsplus_read_wrapper(struct super_block *sb) goto out; error = -ENOMEM; - sbi->s_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); + bufsize = max_t(u32, hfsplus_min_io_size(sb), PAGE_SIZE); + sbi->s_vhdr_buf = kmalloc(bufsize, GFP_KERNEL); if (!sbi->s_vhdr_buf) goto out; - sbi->s_backup_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); + sbi->s_backup_vhdr_buf = kmalloc(bufsize, GFP_KERNEL); if (!sbi->s_backup_vhdr_buf) goto out_free_vhdr; -- 2.25.1