[PATCH] reiserfs: UBSAN: array-index-out-of-bounds in direntry_create_vi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



deh defined as an array of type __u16[], and issue is
triggered when it's trying to access an element at
index 1, which is out of bounds because the array
has only one element at index 0.

Reported-by: syzbot+e5bb9eb00a5a5ed2a9a2@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=e5bb9eb00a5a5ed2a9a2
Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@xxxxxxxxx>
---
 fs/reiserfs/item_ops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c
index 3a5a752d96c7..ccf547c5e8e1 100644
--- a/fs/reiserfs/item_ops.c
+++ b/fs/reiserfs/item_ops.c
@@ -484,7 +484,7 @@ static int direntry_create_vi(struct virtual_node *vn,
 				  vn->vn_mode);
 		dir_u->entry_sizes[i] =
 		    (j ? deh_location(&deh[j - 1]) : ih_item_len(vi->vi_ih)) -
-		    deh_location(&deh[j]) + DEH_SIZE;
+		    deh_location(&deh[j - 1]) + DEH_SIZE;
 	}
 
 	size += (dir_u->entry_count * sizeof(short));
-- 
2.34.1




[Index of Archives]     [Linux File System Development]     [Linux BTRFS]     [Linux NFS]     [Linux Filesystems]     [Ext4 Filesystem]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Resources]

  Powered by Linux