jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Reported-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 Tested-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com Signed-off-by: Nihar Chaithanya <niharchaithanya@gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
author: Nihar Chaithanya <niharchaithanya@gmail.com> 2024-10-08 22:21:38 +0200
committer: Dave Kleikamp <dave.kleikamp@oracle.com> 2024-10-29 23:43:41 +0100
commit: a174706ba4dad895c40b1d2277bade16dfacdcd9 (patch)
tree: d27dd2a19fc2c5b170e20a41b084f35122c73644
parent: jfs: xattr: check invalid xattr size more strictly (diff)
download: linux-a174706ba4dad895c40b1d2277bade16dfacdcd9.tar.xz
linux-a174706ba4dad895c40b1d2277bade16dfacdcd9.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 39957361a7ee..f9009e4f9ffd 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2891,6 +2891,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	/* bubble the new value up the tree as required.
 	 */
 	for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) {
+		if (lp == 0)
+			break;
+
 		/* get the index of the first leaf of the 4 leaf
 		 * group containing the specified leaf (leafno).
 		 */
author	Nihar Chaithanya <niharchaithanya@gmail.com>	2024-10-08 22:21:38 +0200
committer	Dave Kleikamp <dave.kleikamp@oracle.com>	2024-10-29 23:43:41 +0100
commit	a174706ba4dad895c40b1d2277bade16dfacdcd9 (patch)
tree	d27dd2a19fc2c5b170e20a41b084f35122c73644
parent	jfs: xattr: check invalid xattr size more strictly (diff)
download	linux-a174706ba4dad895c40b1d2277bade16dfacdcd9.tar.xz linux-a174706ba4dad895c40b1d2277bade16dfacdcd9.zip