jfs: check if leafidx greater than num leaves per dmap tree

[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ]

syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.

Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.

Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 750853367d4ff5754a3976ebd0e7fc5852473671..8efd93992946b68015bea20049e25e5bf55e4498 100644 (file)
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3006,9 +3006,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
 {
        int ti, n = 0, k, x = 0;
-       int max_size;
+       int max_size, max_idx;
 
        max_size = is_ctl ? CTLTREESIZE : TREESIZE;
+       max_idx = is_ctl ? LPERCTL : LPERDMAP;
 
        /* first check the root of the tree to see if there is
         * sufficient free space.
@@ -3040,6 +3041,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
                 */
                assert(n < 4);
        }
+       if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
+               return -ENOSPC;
 
        /* set the return to the leftmost leaf describing sufficient
         * free space.