From: syzbot <syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
Date: Fri, 17 Apr 2026 03:11:59 -0700 [thread overview]
Message-ID: <69e2076f.a00a0220.1cdc.0007.GAE@google.com> (raw)
In-Reply-To: <69345a63.a70a0220.38f243.0031.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
Author: tristmd@gmail.com
From: Tristan Madani <tristan@talencesecurity.com>
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
dbJoin() computes a buddy size via BUDSIZE(newval, budmin), which
expands to 1 << (newval - budmin). If the on-disk tree metadata is
corrupted such that the leaf values or free counts are inconsistent,
newval can exceed budmin + 31, causing a shift-out-of-bounds:
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2882:11
shift exponent 132 is too large for 32-bit type 'int'
The maximum meaningful newval for a given tree is budmin + l2nleafs,
since BUDSIZE at that point equals nleafs and the while loop would not
execute. Any value beyond that indicates corrupted metadata.
Add a sanity check before the BUDSIZE call: if newval exceeds
budmin + l2nleafs, return -EIO.
Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jfs/jfs_dmap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2864,6 +2864,14 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
if (newval >= tp->dmt_budmin) {
/* pickup a pointer to the leaves of the tree.
*/
+
+ /* Validate newval to prevent shift-out-of-bounds in
+ * BUDSIZE. The maximum meaningful value is budmin +
+ * l2nleafs; anything beyond indicates corrupted metadata.
+ */
+ if (newval > tp->dmt_budmin +
+ le32_to_cpu(tp->dmt_l2nleafs))
+ return -EIO;
leaf = tp->dmt_stree + le32_to_cpu(tp->dmt_leafidx);
/* try to join the specified leaf into a large binary
--
2.39.5
next prev parent reply other threads:[~2026-04-17 10:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
2025-12-07 3:18 ` Edward Adam Davis
2025-12-07 3:52 ` syzbot
2025-12-07 3:52 ` [PATCH] jfs: Add a sanity check for budmin Edward Adam Davis
2026-04-17 10:11 ` syzbot [this message]
2026-04-17 16:19 ` Forwarded: Re: [syzbot] UBSAN: shift-out-of-bounds in dbJoin syzbot
2026-04-17 19:19 ` Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e2076f.a00a0220.1cdc.0007.GAE@google.com \
--to=syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.