Patch "fs/jfs: Add validity check for db_maxag and db_agpref" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 20 Nov 2023 10:19:04 -0500

This is a note to let you know that I've just added the patch titled

    fs/jfs: Add validity check for db_maxag and db_agpref

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8a45d3c9feaf9f187c402ee93646b5cd055989ec
Author: Juntong Deng <juntong.deng@xxxxxxxxxxx>
Date:   Wed Oct 4 02:06:41 2023 +0800

    fs/jfs: Add validity check for db_maxag and db_agpref
    
    [ Upstream commit 64933ab7b04881c6c18b21ff206c12278341c72e ]
    
    Both db_maxag and db_agpref are used as the index of the
    db_agfree array, but there is currently no validity check for
    db_maxag and db_agpref, which can lead to errors.
    
    The following is related bug reported by Syzbot:
    
    UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20
    index 7936 is out of range for type 'atomic_t[128]'
    
    Add checking that the values of db_maxag and db_agpref are valid
    indexes for the db_agfree array.
    
    Reported-by: syzbot+38e876a8aa44b7115c76@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=38e876a8aa44b7115c76
    Signed-off-by: Juntong Deng <juntong.deng@xxxxxxxxxxx>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a700950429c5f..217a673b751ef 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -195,6 +195,12 @@ int dbMount(struct inode *ipbmap)
 	bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
 	bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
 	bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
+	if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 ||
+		bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) {
+		err = -EINVAL;
+		goto err_release_metapage;
+	}
+
 	bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
 	bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
 	bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);






