From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oa1-f69.google.com (mail-oa1-f69.google.com [209.85.160.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C75335979 for ; Thu, 30 Apr 2026 23:04:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.69 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777590256; cv=none; b=eLGR9IaYQTfoO/dxwHX3q437twmPxMy+PvI+p0CclGqqB6Tr4jFbh+Rkah4AXOw/ORIR8qTEuhZLf9Jv6XB0z7vuIAXvi74OeZ/WhrJw25Wm5hRTef9hVqGDhn0MV1w9ADy4h7FNQ+z/CJzfufaQh4o/d/thArIHGMovYgpIU9s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777590256; c=relaxed/simple; bh=59qtCRzEfFRjDMYz/Q2PqwZOw2YjppU4J6xvz5alCIQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=NNisiNCOL9ho6XtZMSUPNHsExGgaTInk7SfWZcVyrejSmikRk3ntTnoX2AiWXuxgaTykNzWL6ov41hl5aOZCmYBkeBkVBG428+3sYUDCwdjB+E+plGUundlfLk2hDTfRcLI5pLZT/Zqbs9It6UVPtM0z8rr4/Hw/GfURm2/DaWk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f69.google.com with SMTP id 586e51a60fabf-40f09403c56so5528994fac.1 for ; Thu, 30 Apr 2026 16:04:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777590254; x=1778195054; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5Xkob4fprk5vQnlIU2OkebmAEszG7781QN+hvBOvWB0=; b=sa39n3MRcj/Oclh9Wh8N7v+1hiVB9W9wILMvYdSdHxpnPQ1FOra6WEu7p1k9Bxeg4n FQBSwm7B6vjhuqpmN33IjD2A4Tftdh1OR7jR3NsR6uwt9PXWYdeXBcPQ9fuUjydCYQxk Tji4hooh3/S9tj29EBs8130B8xH0EpdbgZuNpndH4rUnqEC/zmEre277ZG1YOWzG+lOz A2ZC1Hck+c78woYGePHpLpiePyJZbtKrZ9muV7wAd89BSIkPdNLzqhxxElADN6QQSbrR 1TiZA37vsNZXF4b6cwnV6c0cUQr5ZU/WQg4uRWxLCT9UvGm1A2pRmodL7acV35TMBV04 SsIQ== X-Gm-Message-State: AOJu0YxgfyKd9/KccL4s/lI883M/O0/Syh7DsrvSxR5GKQXQ+8eChxj+ 6cNHKG4uhzybVMMZeXyF3QoqPlsBnp0aAgkmTMgkBDhjRFbxMfw7nFJheoHtWeUZChzpnxKH8P1 y7A7FP5ZCIxltvMOO7fUd2B7EKhlbVHszyh4OJZqPwMs9Ca7KxWHXSOvp0M4= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:5184:b0:683:a6e:970a with SMTP id 006d021491bc7-6967bde6199mr1600218eaf.40.1777590254376; Thu, 30 Apr 2026 16:04:14 -0700 (PDT) Date: Thu, 30 Apr 2026 16:04:14 -0700 In-Reply-To: <00000000000001ab730616f23768@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69f3dfee.050a0220.312cd3.0006.GAE@google.com> Subject: Forwarded: Re: [syz] KASAN: slab-out-of-bounds Write in diWrite From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syz] KASAN: slab-out-of-bounds Write in diWrite Author: tristmd@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >>From b49fd6df859312590dfffd12e3dad87914f88c9c Mon Sep 17 00:00:00 2001 From: Tristan Madani Date: Thu, 30 Apr 2026 23:01:32 +0000 Subject: [PATCH] jfs: validate lv bounds in diWrite to prevent slab-out-of-bounds diWrite() copies btree root data from the in-memory inode to the on-disk dinode using lv->offset and lv->length from the transaction lock without bounds checking. When a corrupted JFS filesystem image provides inconsistent dtree or xtree metadata, the transaction log entries can reference slots beyond the root node boundaries (DTROOTMAXSLOT or XTROOTMAXSLOT), causing a slab-out-of-bounds write in the subsequent memcpy. For example, with a crafted directory inode where the dtree metadata produces lv->offset + lv->length > DTROOTMAXSLOT (9), the memcpy in the dtree copy loop writes 32 bytes past the dinode boundary into adjacent slab memory. Add bounds validation before each memcpy in both the xtree and dtree copy loops to ensure lv->offset + lv->length does not exceed XTROOTMAXSLOT (18) or DTROOTMAXSLOT (9) respectively. Reported-by: syzbot+aa6df9d3b383bf5f047f@syzkaller.appspotmail.com Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani --- fs/jfs/jfs_imap.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index b84ba4d7dfb44..70d6a33597273 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -726,6 +726,11 @@ int diWrite(tid_t tid, struct inode *ip) xp = &dp->di_xtroot; lv = ilinelock->lv; for (n = 0; n < ilinelock->index; n++, lv++) { + if (lv->offset + lv->length > XTROOTMAXSLOT) { + jfs_err("diWrite: xtree lv out of bounds"); + release_metapage(mp); + return -EIO; + } memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], lv->length << L2XTSLOTSIZE); } @@ -750,6 +755,11 @@ int diWrite(tid_t tid, struct inode *ip) xp = (dtpage_t *) & dp->di_dtroot; lv = ilinelock->lv; for (n = 0; n < ilinelock->index; n++, lv++) { + if (lv->offset + lv->length > DTROOTMAXSLOT) { + jfs_err("diWrite: dtree lv out of bounds"); + release_metapage(mp); + return -EIO; + } memcpy(&xp->slot[lv->offset], &p->slot[lv->offset], lv->length << L2DTSLOTSIZE); } -- 2.47.3