This was assigned CVE-2020-27815 via redhat. Regards. butt3rflyh4ck.
On Fri, Nov 20, 2020 at 11:01 PM Dave Kleikamp <[email protected]> wrote: > > On 11/20/20 3:52 AM, butt3rflyh4ck wrote: > > You are welcome and have you submitted the patch to linux upstream ? > > If you have no time do that and I can do it. > > Yes, it's in linux-next now. I'll push it to upstream in the v5.11 window. > > Shaggy > > > > > Regard, > > butt3rflyh4ck. > > > > On Sun, Nov 15, 2020 at 12:17 AM Dave Kleikamp <[email protected]> > > wrote: > >> > >> Thanks for reporting and testing this! > >> > >> Shaggy > >> > >> On 11/14/20 7:55 AM, butt3rflyh4ck wrote: > >>> Yes, I have tested the patch, it seem to fix the problem. > >>> > >>> Regard, > >>> butt3rflyh4ck. > >>> > >>> On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp <[email protected]> > >>> wrote: > >>>> > >>>> On 10/8/20 12:00 PM, butt3rflyh4ck wrote: > >>>>> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by > >>>>> kernel fuzz. > >>>>> > >>>>> kernel config: > >>>>> https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config > >>>>> > >>>>> and can reproduce. > >>>>> > >>>>> the dmtree_t is that > >>>>> typedef union dmtree { > >>>>> struct dmaptree t1; > >>>>> struct dmapctl t2; > >>>>> } dmtree_t; > >>>>> > >>>>> the dmaptree is that > >>>>> struct dmaptree { > >>>>> __le32 nleafs; /* 4: number of tree leafs */ > >>>>> __le32 l2nleafs; /* 4: l2 number of tree leafs */ > >>>>> __le32 leafidx; /* 4: index of first tree leaf */ > >>>>> __le32 height; /* 4: height of the tree */ > >>>>> s8 budmin; /* 1: min l2 tree leaf value to combine */ > >>>>> s8 stree[TREESIZE]; /* TREESIZE: tree */ > >>>>> u8 pad[2]; /* 2: pad to word boundary */ > >>>>> }; > >>>>> the TREESIZE is totally 341, but the leafidx type is __le32. > >>>> > >>>> Does this patch fix the problem? > >>>> > >>>> jfs: Fix array index bounds check in dbAdjTree > >>>> > >>>> Bounds checking tools can flag a bug in dbAdjTree() for an array index > >>>> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in > >>>> both structures dmaptree and dmapctl, use the larger array to eliminate > >>>> the false positive. > >>>> > >>>> Signed-off-by: Dave Kleikamp <[email protected]> > >>>> --- > >>>> fs/jfs/jfs_dmap.h | 2 +- > >>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>> > >>>> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h > >>>> index 29891fad3f09..aa03a904d5ab 100644 > >>>> --- a/fs/jfs/jfs_dmap.h > >>>> +++ b/fs/jfs/jfs_dmap.h > >>>> @@ -183,7 +183,7 @@ typedef union dmtree { > >>>> #define dmt_leafidx t1.leafidx > >>>> #define dmt_height t1.height > >>>> #define dmt_budmin t1.budmin > >>>> -#define dmt_stree t1.stree > >>>> +#define dmt_stree t2.stree > >>>> > >>>> /* > >>>> * on-disk aggregate disk allocation map descriptor. > >>>> -- > >>>> 2.29.2 > >>>>
