linux/fs/jfs
Edward Adam Davis ce6dede912 jfs: fix null ptr deref in dtInsertEntry
[syzbot reported]
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713
...
[Analyze]
In dtInsertEntry(), when the pointer h has the same value as p, after writing
name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the
previously true judgment "p->header.flag & BT-LEAF" to change to no after writing
the name operation, this leads to entering an incorrect branch and accessing the
uninitialized object ih when judging this condition for the second time.

[Fix]
After got the page, check freelist first, if freelist == 0 then exit dtInsert()
and return -EINVAL.

Reported-by: syzbot+bba84aef3a26fb93deb9@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
2024-06-26 12:27:33 -05:00
..
acl.c jfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
file.c splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
inode.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
ioctl.c jfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
jfs_acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
jfs_btree.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_debug.c proc: convert everything to "struct proc_ops" 2020-02-04 03:05:26 +00:00
jfs_debug.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_dinode.h jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_discard.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_discard.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_dmap.c Revert "jfs: fix shift-out-of-bounds in dbJoin" 2024-01-29 08:45:10 -06:00
jfs_dmap.h jfs: Fix array index bounds check in dbAdjTree 2020-11-13 16:03:07 -06:00
jfs_dtree.c jfs: fix null ptr deref in dtInsertEntry 2024-06-26 12:27:33 -05:00
jfs_dtree.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_extent.c jfs: validate max amount of blocks before allocation. 2023-08-29 12:25:47 -05:00
jfs_extent.h jfs: remove unused declarations for jfs 2022-10-18 08:50:26 -05:00
jfs_filsys.h jfs: jfs_dmap: Validate db_l2nbperpage while mounting 2023-06-20 12:37:50 -05:00
jfs_imap.c jfs: fix array-index-out-of-bounds in diNewExt 2024-01-02 11:02:30 -06:00
jfs_imap.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_incore.h quota: Properly annotate i_dquot arrays with __rcu 2024-02-08 12:04:59 +01:00
jfs_inode.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
jfs_inode.h fs: port ->fileattr_set() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
jfs_lock.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_logmgr.c jfs: Change metapage->page to metapage->folio 2024-05-27 20:37:06 -05:00
jfs_logmgr.h jfs: port block device access to file 2024-02-25 12:05:26 +01:00
jfs_metapage.c jfs: Remove use of folio error flag 2024-05-27 20:37:06 -05:00
jfs_metapage.h jfs: Change metapage->page to metapage->folio 2024-05-27 20:37:06 -05:00
jfs_mount.c jfs: port block device access to file 2024-02-25 12:05:26 +01:00
jfs_superblock.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_txnmgr.c jfs: Add missing set_freezable() for freezable kthread 2024-01-02 11:06:52 -06:00
jfs_txnmgr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_types.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_umount.c jfs: Fix a typo in function jfs_umount 2022-11-10 15:08:00 -06:00
jfs_unicode.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jfs_unicode.h fs/jfs: Use common ucs2 upper case table 2023-08-30 08:55:52 -05:00
jfs_xattr.h jfs: move jfs_xattr_handlers to .rodata 2023-10-09 16:24:19 +02:00
jfs_xtree.c jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_xtree.h jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
Kconfig 22 smb3/cifs client fixes and two related changes (for unicode mapping) 2023-08-30 21:01:40 -07:00
Makefile fs/jfs: Use common ucs2 upper case table 2023-08-30 08:55:52 -05:00
namei.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
resize.c jfs: use sb_bdev_nr_blocks 2021-10-18 14:43:23 -06:00
super.c \n 2024-03-13 14:30:58 -07:00
symlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
xattr.c jfs: move jfs_xattr_handlers to .rodata 2023-10-09 16:24:19 +02:00