Commit 03aec2c1 authored May 17, 2021 by Pavel Skripkin Committed by Greg Kroah-Hartman Jul 20, 2021

reiserfs: add check for invalid 1st journal block

[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ]

syzbot reported divide error in reiserfs.
The problem was in incorrect journal 1st block.

Syzbot's reproducer manualy generated wrong superblock
with incorrect 1st block. In journal_init() wasn't
any checks about this particular case.

For example, if 1st journal block is before superblock
1st block, it can cause zeroing important superblock members
in do_journal_end().

Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com


Reported-by:  <syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 1137d57d

fs/reiserfs/journal.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -2766,6 +2766,20 @@ int journal_init(struct super_block sb, const char j_dev_name,
		goto free_and_return;
		}

		/*
		* Sanity check to see if journal first block is correct.
		* If journal first block is invalid it can cause
		* zeroing important superblock members.
		*/
		if (!SB_ONDISK_JOURNAL_DEVICE(sb) &&
		SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) {
		reiserfs_warning(sb, "journal-1393",
		"journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d",
		SB_JOURNAL_1st_RESERVED_BLOCK(sb),
		SB_ONDISK_JOURNAL_1st_BLOCK(sb));
		goto free_and_return;
		}

		if (journal_init_dev(sb, journal, j_dev_name) != 0) {
		reiserfs_warning(sb, "sh-462",
		"unable to initialize journal device");