Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf

From: Dave Kleikamp
Date: Sun Sep 03 2023 - 17:46:53 EST

Next message: Ingo Molnar: "Re: [PATCH v2] x86: bring back rep movsq for user access on CPUs without ERMS"
Previous message: Laurent Pinchart: "Re: [PATCH 2/2] media: i2c: imx519: Support for the Sony IMX519 sensor"
In reply to: Manas Ghandat: "Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/2/23 12:45PM, Manas Ghandat wrote:

Actually I was talking about the stree attribute of dmtree which is present in both dmaptree and dmapctl.

Link : https://elixir.bootlin.com/linux/v6.5.1/source/fs/jfs/jfs_dmap.h#L168

Since it is an array we can add a check for the size of array like the code below.

+ if (x + n > (sizeof(tp->dmt_stree)/sizeof(s8)))
+ return -ENOSPC;

That will always evaluate to the same thing (the size of stree in dmapctl). It would be valid, since that is the larger number, but it wouldn't catch all overflows of dmaptree's stree.

On 01/09/23 22:38, Dave Kleikamp wrote:

On 8/31/23 10:19AM, Manas Ghandat wrote:

I was wondering if we could implement a get_tree_size macro wherein we could find the tree size so that we can do the comparison. SInce the tp->dmt_stree is an array we can get its size and fix the out of bounds. Would this thing work?

dmtree_t is a union of two nearly identical structures that both contain an stree. The only real difference in the structures is the size of the stree, so dbFindLeaf doesn't really know which is being used by the caller.

Next message: Ingo Molnar: "Re: [PATCH v2] x86: bring back rep movsq for user access on CPUs without ERMS"
Previous message: Laurent Pinchart: "Re: [PATCH 2/2] media: i2c: imx519: Support for the Sony IMX519 sensor"
In reply to: Manas Ghandat: "Re: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]