* [PATCH] jfs: upper bound check of tree index in dbAllocAG
@ 2025-04-23 22:13 Arnaud Lecomte
2025-07-11 19:23 ` [Jfs-discussion] " Dave Kleikamp
0 siblings, 1 reply; 6+ messages in thread
From: Arnaud Lecomte @ 2025-04-23 22:13 UTC (permalink / raw)
To: Dave Kleikamp
Cc: jfs-discussion, linux-kernel, skhan, syzbot+cffd18309153948f3c3e,
Arnaud Lecomte
When computing the tree index in dbAllocAG, we never check we are not
out of bounds from the size of the stree.
This could happen in a scenario where the filesystem metadata are
corrupted.
Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
---
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 26e89d0c69b6..7acebb9a21b0 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
(1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
+ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti out of bounds\n");
+ release_metapage(mp);
+ return -EIO;
+ }
+
/* dmap control page trees fan-out by 4 and a single allocation
* group may be described by 1 or 2 subtrees within the ag level
* dmap control page, depending upon the ag size. examine the ag's
---
base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
change-id: 20250423-ubsan-jfs-3a58acae5e57
Best regards,
--
Arnaud Lecomte <contact@arnaud-lcm.com>
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Jfs-discussion] [PATCH] jfs: upper bound check of tree index in dbAllocAG
2025-04-23 22:13 [PATCH] jfs: upper bound check of tree index in dbAllocAG Arnaud Lecomte
@ 2025-07-11 19:23 ` Dave Kleikamp
2025-07-14 20:35 ` Lecomte, Arnaud
2025-07-28 18:14 ` Arnaud Lecomte
0 siblings, 2 replies; 6+ messages in thread
From: Dave Kleikamp @ 2025-07-11 19:23 UTC (permalink / raw)
To: Arnaud Lecomte, Dave Kleikamp
Cc: jfs-discussion, syzbot+cffd18309153948f3c3e, linux-kernel, skhan
I'm finally trying to catch up.
On 4/23/25 5:13PM, Arnaud Lecomte via Jfs-discussion wrote:
> When computing the tree index in dbAllocAG, we never check we are not
> out of bounds from the size of the stree.
> This could happen in a scenario where the filesystem metadata are
> corrupted.
Looks good. I'll apply and test this.
>
> Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
> Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
> Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
Removing the Fixes: line. This doesn't make sense.
> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> ---
> fs/jfs/jfs_dmap.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 26e89d0c69b6..7acebb9a21b0 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
> (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
> ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
>
> + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
> + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti out of bounds\n");
> + release_metapage(mp);
> + return -EIO;
> + }
> +
> /* dmap control page trees fan-out by 4 and a single allocation
> * group may be described by 1 or 2 subtrees within the ag level
> * dmap control page, depending upon the ag size. examine the ag's
>
> ---
> base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
> change-id: 20250423-ubsan-jfs-3a58acae5e57
>
> Best regards,
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Jfs-discussion] [PATCH] jfs: upper bound check of tree index in dbAllocAG
2025-07-11 19:23 ` [Jfs-discussion] " Dave Kleikamp
@ 2025-07-14 20:35 ` Lecomte, Arnaud
2025-07-27 9:55 ` Arnaud Lecomte
2025-07-28 18:14 ` Arnaud Lecomte
1 sibling, 1 reply; 6+ messages in thread
From: Lecomte, Arnaud @ 2025-07-14 20:35 UTC (permalink / raw)
To: Dave Kleikamp, Dave Kleikamp
Cc: jfs-discussion, syzbot+cffd18309153948f3c3e, linux-kernel, skhan
Thanks Dave !
On 11/07/2025 20:23, Dave Kleikamp wrote:
> I'm finally trying to catch up.
>
> On 4/23/25 5:13PM, Arnaud Lecomte via Jfs-discussion wrote:
>> When computing the tree index in dbAllocAG, we never check we are not
>> out of bounds from the size of the stree.
>> This could happen in a scenario where the filesystem metadata are
>> corrupted.
>
> Looks good. I'll apply and test this.
>
>>
>> Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
>> Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>> Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
>
> Removing the Fixes: line. This doesn't make sense.
>
>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>> ---
>> fs/jfs/jfs_dmap.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
>> index 26e89d0c69b6..7acebb9a21b0 100644
>> --- a/fs/jfs/jfs_dmap.c
>> +++ b/fs/jfs/jfs_dmap.c
>> @@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64
>> nblocks, int l2nb, s64 * results)
>> (1 << (L2LPERCTL - (bmp->db_agheight << 1))) /
>> bmp->db_agwidth;
>> ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
>> + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
>> + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti
>> out of bounds\n");
>> + release_metapage(mp);
>> + return -EIO;
>> + }
>> +
>> /* dmap control page trees fan-out by 4 and a single allocation
>> * group may be described by 1 or 2 subtrees within the ag level
>> * dmap control page, depending upon the ag size. examine the ag's
>>
>> ---
>> base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
>> change-id: 20250423-ubsan-jfs-3a58acae5e57
>>
>> Best regards,
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Jfs-discussion] [PATCH] jfs: upper bound check of tree index in dbAllocAG
2025-07-14 20:35 ` Lecomte, Arnaud
@ 2025-07-27 9:55 ` Arnaud Lecomte
2025-07-28 17:58 ` Dave Kleikamp
0 siblings, 1 reply; 6+ messages in thread
From: Arnaud Lecomte @ 2025-07-27 9:55 UTC (permalink / raw)
To: Dave Kleikamp, Dave Kleikamp
Cc: jfs-discussion, syzbot+cffd18309153948f3c3e, linux-kernel, skhan
Hi Dave,
I am bumping the thread as I was wondering if you have some updates.
Thanks !
On 14/07/2025 21:35, Lecomte, Arnaud wrote:
> Thanks Dave !
>
> On 11/07/2025 20:23, Dave Kleikamp wrote:
>> I'm finally trying to catch up.
>>
>> On 4/23/25 5:13PM, Arnaud Lecomte via Jfs-discussion wrote:
>>> When computing the tree index in dbAllocAG, we never check we are not
>>> out of bounds from the size of the stree.
>>> This could happen in a scenario where the filesystem metadata are
>>> corrupted.
>>
>> Looks good. I'll apply and test this.
>>
>>>
>>> Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
>>> Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>>> Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
>>
>> Removing the Fixes: line. This doesn't make sense.
>>
>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>>> ---
>>> fs/jfs/jfs_dmap.c | 6 ++++++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
>>> index 26e89d0c69b6..7acebb9a21b0 100644
>>> --- a/fs/jfs/jfs_dmap.c
>>> +++ b/fs/jfs/jfs_dmap.c
>>> @@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64
>>> nblocks, int l2nb, s64 * results)
>>> (1 << (L2LPERCTL - (bmp->db_agheight << 1))) /
>>> bmp->db_agwidth;
>>> ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
>>> + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
>>> + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti
>>> out of bounds\n");
>>> + release_metapage(mp);
>>> + return -EIO;
>>> + }
>>> +
>>> /* dmap control page trees fan-out by 4 and a single allocation
>>> * group may be described by 1 or 2 subtrees within the ag level
>>> * dmap control page, depending upon the ag size. examine the
>>> ag's
>>>
>>> ---
>>> base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
>>> change-id: 20250423-ubsan-jfs-3a58acae5e57
>>>
>>> Best regards,
>>
>>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Jfs-discussion] [PATCH] jfs: upper bound check of tree index in dbAllocAG
2025-07-27 9:55 ` Arnaud Lecomte
@ 2025-07-28 17:58 ` Dave Kleikamp
0 siblings, 0 replies; 6+ messages in thread
From: Dave Kleikamp @ 2025-07-28 17:58 UTC (permalink / raw)
To: Arnaud Lecomte
Cc: jfs-discussion, syzbot+cffd18309153948f3c3e, linux-kernel, skhan
On 7/27/25 4:55AM, Arnaud Lecomte wrote:
> Hi Dave,
> I am bumping the thread as I was wondering if you have some updates.
> Thanks !
It's in linux-next. I'll be pushing it to Linus this week.
Thanks,
Shaggy
>
> On 14/07/2025 21:35, Lecomte, Arnaud wrote:
>> Thanks Dave !
>>
>> On 11/07/2025 20:23, Dave Kleikamp wrote:
>>> I'm finally trying to catch up.
>>>
>>> On 4/23/25 5:13PM, Arnaud Lecomte via Jfs-discussion wrote:
>>>> When computing the tree index in dbAllocAG, we never check we are not
>>>> out of bounds from the size of the stree.
>>>> This could happen in a scenario where the filesystem metadata are
>>>> corrupted.
>>>
>>> Looks good. I'll apply and test this.
>>>
>>>>
>>>> Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
>>>> Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>>>> Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
>>>
>>> Removing the Fixes: line. This doesn't make sense.
>>>
>>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>>>> ---
>>>> fs/jfs/jfs_dmap.c | 6 ++++++
>>>> 1 file changed, 6 insertions(+)
>>>>
>>>> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
>>>> index 26e89d0c69b6..7acebb9a21b0 100644
>>>> --- a/fs/jfs/jfs_dmap.c
>>>> +++ b/fs/jfs/jfs_dmap.c
>>>> @@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64
>>>> nblocks, int l2nb, s64 * results)
>>>> (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp-
>>>> >db_agwidth;
>>>> ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
>>>> + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
>>>> + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti
>>>> out of bounds\n");
>>>> + release_metapage(mp);
>>>> + return -EIO;
>>>> + }
>>>> +
>>>> /* dmap control page trees fan-out by 4 and a single allocation
>>>> * group may be described by 1 or 2 subtrees within the ag level
>>>> * dmap control page, depending upon the ag size. examine the
>>>> ag's
>>>>
>>>> ---
>>>> base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
>>>> change-id: 20250423-ubsan-jfs-3a58acae5e57
>>>>
>>>> Best regards,
>>>
>>>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Jfs-discussion] [PATCH] jfs: upper bound check of tree index in dbAllocAG
2025-07-11 19:23 ` [Jfs-discussion] " Dave Kleikamp
2025-07-14 20:35 ` Lecomte, Arnaud
@ 2025-07-28 18:14 ` Arnaud Lecomte
1 sibling, 0 replies; 6+ messages in thread
From: Arnaud Lecomte @ 2025-07-28 18:14 UTC (permalink / raw)
To: Dave Kleikamp, Dave Kleikamp
Cc: jfs-discussion, syzbot+cffd18309153948f3c3e, linux-kernel, skhan
Lovely, thanks !
Arnaud
On 11/07/2025 20:23, Dave Kleikamp wrote:
> I'm finally trying to catch up.
>
> On 4/23/25 5:13PM, Arnaud Lecomte via Jfs-discussion wrote:
>> When computing the tree index in dbAllocAG, we never check we are not
>> out of bounds from the size of the stree.
>> This could happen in a scenario where the filesystem metadata are
>> corrupted.
>
> Looks good. I'll apply and test this.
>
>>
>> Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
>> Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
>> Fixes: 263e55949d89 ("x86/cpu/amd: Fix workaround for erratum 1054")
>
> Removing the Fixes: line. This doesn't make sense.
>
>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>> ---
>> fs/jfs/jfs_dmap.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
>> index 26e89d0c69b6..7acebb9a21b0 100644
>> --- a/fs/jfs/jfs_dmap.c
>> +++ b/fs/jfs/jfs_dmap.c
>> @@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64
>> nblocks, int l2nb, s64 * results)
>> (1 << (L2LPERCTL - (bmp->db_agheight << 1))) /
>> bmp->db_agwidth;
>> ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
>> + if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
>> + jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti
>> out of bounds\n");
>> + release_metapage(mp);
>> + return -EIO;
>> + }
>> +
>> /* dmap control page trees fan-out by 4 and a single allocation
>> * group may be described by 1 or 2 subtrees within the ag level
>> * dmap control page, depending upon the ag size. examine the ag's
>>
>> ---
>> base-commit: 8560697b23dc2f405cb463af2b17256a9888129d
>> change-id: 20250423-ubsan-jfs-3a58acae5e57
>>
>> Best regards,
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-28 18:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-23 22:13 [PATCH] jfs: upper bound check of tree index in dbAllocAG Arnaud Lecomte
2025-07-11 19:23 ` [Jfs-discussion] " Dave Kleikamp
2025-07-14 20:35 ` Lecomte, Arnaud
2025-07-27 9:55 ` Arnaud Lecomte
2025-07-28 17:58 ` Dave Kleikamp
2025-07-28 18:14 ` Arnaud Lecomte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).