fs: jfs: fix shift-out-of-bounds in dbDiscardAG

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.

Signed-off-by: Hoi Pok Wu <wuhoipok@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>

authored by

Hoi Pok Wu and committed by

Dave Kleikamp 3 years ago 25e70c61 ebe06036

1 changed file

expand all

jfs

jfs_dmap.c

fs/jfs/jfs_dmap.c

··· 198 198 goto err_release_metapage; 199 199 } 200 200 201 + if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { 202 + err = -EINVAL; 203 + goto err_release_metapage; 204 + } 205 + 201 206 for (i = 0; i < MAXAG; i++) 202 207 bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); 203 208 bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);