[syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
@ 2025-12-06 16:31 syzbot
  2025-12-07  3:18 ` Edward Adam Davis
                   ` (4 more replies)
  0 siblings, 5 replies; 7+ messages in thread
From: syzbot @ 2025-12-06 16:31 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    4a26e7032d7d Merge tag 'core-bugs-2025-12-01' of git://git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ea9512580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dd808c444ce84c8
dashboard link: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14dbe192580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=112d92b4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a40b77c72522/disk-4a26e703.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b2b4fa9b2036/vmlinux-4a26e703.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7105f0502b78/bzImage-4a26e703.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1f7c2e37ce13/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=170ab512580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
CPU: 0 UID: 0 PID: 123 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x52d/0xa60 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 0 UID: 0 PID: 123 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x99/0x250 lib/dump_stack.c:120
 vpanic+0x237/0x6d0 kernel/panic.c:489
 panic+0xb9/0xc0 kernel/panic.c:626
 check_panic_on_warn+0x89/0xb0 kernel/panic.c:376
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x52d/0xa60 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Kernel Offset: disabled


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
  2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
@ 2025-12-07  3:18 ` Edward Adam Davis
  2025-12-07  3:52   ` syzbot
  2025-12-07  3:52 ` [PATCH] jfs: Add a sanity check for budmin Edward Adam Davis
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 7+ messages in thread
From: Edward Adam Davis @ 2025-12-07  3:18 UTC (permalink / raw)
  To: syzbot+fa603ae6b02658401ca7; +Cc: linux-kernel, syzkaller-bugs

#syz test

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..7c35e69cafb9 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
  2025-12-07  3:18 ` Edward Adam Davis
@ 2025-12-07  3:52   ` syzbot
  0 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2025-12-07  3:52 UTC (permalink / raw)
  To: eadavis, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com

Tested on:

commit:         37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=135f26c2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=34836e56fe7fb6c8
dashboard link: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=145726c2580000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH] jfs: Add a sanity check for budmin
  2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
  2025-12-07  3:18 ` Edward Adam Davis
@ 2025-12-07  3:52 ` Edward Adam Davis
  2026-04-17 10:11 ` Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin syzbot
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 7+ messages in thread
From: Edward Adam Davis @ 2025-12-07  3:52 UTC (permalink / raw)
  To: syzbot+fa603ae6b02658401ca7
  Cc: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

In a corrupted file system image, the budmin value is less than 0,
which causes the lazycommit thread to report an out-of-bounds error
when retrieving the buddy size in dbJoin [1].

Add a check for potentially negative budmin to avoid the problem in [1].

[1]
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
Call Trace:
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_dmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..8f8084756e32 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
  2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
  2025-12-07  3:18 ` Edward Adam Davis
  2025-12-07  3:52 ` [PATCH] jfs: Add a sanity check for budmin Edward Adam Davis
@ 2026-04-17 10:11 ` syzbot
  2026-04-17 16:19 ` Forwarded: Re: [syzbot] UBSAN: " syzbot
  2026-04-17 19:19 ` Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
  4 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-04-17 10:11 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


dbJoin() computes a buddy size via BUDSIZE(newval, budmin), which
expands to 1 << (newval - budmin).  If the on-disk tree metadata is
corrupted such that the leaf values or free counts are inconsistent,
newval can exceed budmin + 31, causing a shift-out-of-bounds:

  UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2882:11
  shift exponent 132 is too large for 32-bit type 'int'

The maximum meaningful newval for a given tree is budmin + l2nleafs,
since BUDSIZE at that point equals nleafs and the while loop would not
execute.  Any value beyond that indicates corrupted metadata.

Add a sanity check before the BUDSIZE call: if newval exceeds
budmin + l2nleafs, return -EIO.

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2864,6 +2864,14 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	if (newval >= tp->dmt_budmin) {
 		/* pickup a pointer to the leaves of the tree.
 		 */
+
+		/* Validate newval to prevent shift-out-of-bounds in
+		 * BUDSIZE.  The maximum meaningful value is budmin +
+		 * l2nleafs; anything beyond indicates corrupted metadata.
+		 */
+		if (newval > tp->dmt_budmin +
+		    le32_to_cpu(tp->dmt_l2nleafs))
+			return -EIO;
 		leaf = tp->dmt_stree + le32_to_cpu(tp->dmt_leafidx);

 		/* try to join the specified leaf into a large binary
--
2.39.5

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Forwarded: Re: [syzbot] UBSAN: shift-out-of-bounds in dbJoin
  2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
                   ` (2 preceding siblings ...)
  2026-04-17 10:11 ` Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin syzbot
@ 2026-04-17 16:19 ` syzbot
  2026-04-17 19:19 ` Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
  4 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-04-17 16:19 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in dbJoin
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From b3eba06211261ff42d58377c02b45bf48aae8f82 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:14 +0000
Subject: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
dbJoin() can receive a corrupted newval from on-disk metadata that
exceeds the valid range for the BUDSIZE macro's shift operation.
When newval is larger than budmin + l2nleafs, the shift produces
undefined behavior detected by UBSAN.
Add a sanity check on newval before the shift to reject corrupted
values.
Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a841cf2..4ad9b34 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2864,6 +2864,9 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	if (newval >= tp->dmt_budmin) {
 		/* pickup a pointer to the leaves of the tree.
 		 */
+		if (newval > tp->dmt_budmin +
+		    le32_to_cpu(tp->dmt_l2nleafs))
+			return -EIO;
 		leaf = tp->dmt_stree + le32_to_cpu(tp->dmt_leafidx);
 
 		/* try to join the specified leaf into a large binary
-- 
2.47.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
  2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
                   ` (3 preceding siblings ...)
  2026-04-17 16:19 ` Forwarded: Re: [syzbot] UBSAN: " syzbot
@ 2026-04-17 19:19 ` syzbot
  4 siblings, 0 replies; 7+ messages in thread
From: syzbot @ 2026-04-17 19:19 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2770,6 +2770,10 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	int budsz, buddy;
 	s8 *leaf;
 
+	if (newval < 0 ||
+	    (newval >= tp->dmt_budmin && newval - tp->dmt_budmin >= 32))
+		return -EIO;
+
 	/* can the new leaf value require a join with other leaves ?
 	 */
 	if (newval >= tp->dmt_budmin) {

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-04-17 19:19 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-06 16:31 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot
2025-12-07  3:18 ` Edward Adam Davis
2025-12-07  3:52   ` syzbot
2025-12-07  3:52 ` [PATCH] jfs: Add a sanity check for budmin Edward Adam Davis
2026-04-17 10:11 ` Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin syzbot
2026-04-17 16:19 ` Forwarded: Re: [syzbot] UBSAN: " syzbot
2026-04-17 19:19 ` Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2) syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.