From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57E1739A812
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 11:02:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777633354; cv=none; b=OUQU8hK6JPg/yAHLKwO48cR9bj9NV/OWUi41Q9UJ5x7XR/aIrAO8zN5xI9hQkaHjiMlHosG5sRL0EzYtBxod/8kzG5xHiv3B2b96akFsQmNK3wxurayJbAvTHfFnEygUAat4Mcolx0M9LU0Mvy92OYn6A2kOJxlkHI2PLGnGqEg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777633354; c=relaxed/simple;
	bh=BMlgiKuNUB87uCclPwjrQJNkQdhuSRNK/Uz+046IXJ0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=cIOMSc/E5yOoK377SXjeUrByXsO5l0JvN0oeMMThXJuoJ7F0NASBpiDFOg8y+1LzxqNWkZyyRx3rRlylGrkHbX/nJ92JBpu9TCO2ipo+VYLfGSG2b+tdg1RYFhp5rfj+gtktI1El8U8SdVuRny+Rndl5ZQpdTiUwKeOD7C7nLU0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ARtVswET; arc=none smtp.client-ip=209.85.128.44
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ARtVswET"
Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48909558b3aso19087725e9.0
        for <linux-kernel@vger.kernel.org>; Fri, 01 May 2026 04:02:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777633352; x=1778238152; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=JSMUlgDj9Yg4wJLFghvuChRmTRTTzjZGS4h4LzcAju4=;
        b=ARtVswETxobMFA8V/Js2/1mg/4fG0VlM9sMCl6g7XRtwRTHNF/7uP+3jweLtwCja4Z
         /WDfiVSQLMS7DGsJ2L9hDJcmiaaInCBa/DNQoH04bRelGVmN2JLz1pFs/NATUvShOyYt
         /iYupK8O+EFikkC/zvwMsVc3HgDfZOzmJE/gNNVmKh8WQ176W9I/Tei6zWl1D5aXGda5
         yJj4fpLfkZRVQ2hxlz+JGVeIkcltnnc0VK/vdie94PvdvgXJdMe1QZjCRqVgL29fbF98
         DR6ghWMBk6nGgam6E/J4nFEz+O97XgRZYOIsJ7cQIMo1lgwfQqHuVSnQKcI+YB4Qt1ka
         Nkpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777633352; x=1778238152;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JSMUlgDj9Yg4wJLFghvuChRmTRTTzjZGS4h4LzcAju4=;
        b=PsU3Vjp1r6xKYlsMIhqNgek7rpzH0kY1XHIrUXGMjgo6znJiSN6Ls8aXxgrL8waExY
         0Ra++yTPBlU3i1N/GTZ+1dHwTCI1aMfkh6dG+dTr5tBIlVx6zGuuMfyeP7HZOn7HcK9S
         DqjSgL30pwG6YRJbOoCw7wuzeBpL5gLp33NTIh5Mv44RrocVxuGf5OLeKgVFXSYLorp7
         vgRbHmpnCK9E2CnsENyNZNEU0kcB1YxjrPWSbgOk2Zvh2K5euU+bB7qwQDsvBycpU4pC
         aqor1pONB/M4dIXmPydr3kmYw4S58CkaHuohNoDGHhfUT063BiNYH1LEVvs1MHFhVoGl
         HjvQ==
X-Forwarded-Encrypted: i=1; AFNElJ8CA3NVCdPSTLGv4/c77HyhQtKL8CeAviFt63vR/poxmt048mv4+f+++JSvGIONExfZkMsXso1eX/iR7ds=@vger.kernel.org
X-Gm-Message-State: AOJu0YxXHUNmDLNu4evVT1kHj8xeGJHNhi2bf6ZGeOOd5E1Z7fWp4GKt
	3M3KXKe6AX9mUbECOlFF0V+AF7aQ5FBBse/cbiZM8arRq2LjJZRzmd4=
X-Gm-Gg: AeBDievoVlzkXOt5+5QpXZyI4Y1pKBCsEZgxyG2sR31ZPHls2aI/sm9HUTFyeo6DyWY
	20+1jjsyHfFf9I1Mx5yRpvfdabNthq/ZZafJvMGmLxjdrN2ru8RHmQFdmt/tyW8TxPg06xajphU
	D1/tWuL6ejxdW3PKgnKadvmKFHqafyDPUcSQBePDYFurhk6vISHVt3cT26VhcATK7c595TtVItB
	PjsF+qVCRUm8xActdIybBkcDWBufz67HKTm0SqEf6nDl+TZUUkm46xEV/0S0pidOFbbMVOTFlt4
	RdZefTJrfmeW/q1dSS9+RtOg3BvGQkKopHxgs6gIfmvx22C7pDu+0JQ/qqfTJaf6Z2rQQPoJq6W
	wiVgZmh7aMNHLt/1y1awF/bqNIWhkVYEJCPVGCxtZFEkOnGaTjWjtLr6cce8AzPDqvY+zhGhSjb
	It22Q=
X-Received: by 2002:a05:600c:c4b7:b0:489:1fa4:50c6 with SMTP id 5b1f17b1804b1-48a8447b30bmr105729195e9.20.1777633351503;
        Fri, 01 May 2026 04:02:31 -0700 (PDT)
Received: from debian.. ([2001:41d0:303:db6b::])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a986aa70dsm4457999f8f.25.2026.05.01.04.02.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 May 2026 04:02:30 -0700 (PDT)
From: Tristan Madani <tristmd@gmail.com>
To: Dave Kleikamp <shaggy@kernel.org>
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Tristan Madani <tristan@talencesecurity.com>,
	syzbot+aa6df9d3b383bf5f047f@syzkaller.appspotmail.com
Subject: [PATCH] jfs: validate lv bounds in diWrite to prevent slab-out-of-bounds
Date: Fri,  1 May 2026 11:02:30 +0000
Message-ID: <20260501110230.38407-1-tristmd@gmail.com>
X-Mailer: git-send-email 2.47.3
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Tristan Madani <tristan@talencesecurity.com>

diWrite() copies btree root data from the in-memory inode to the
on-disk dinode using lv->offset and lv->length from the transaction
lock without bounds checking.  When a corrupted JFS filesystem image
provides inconsistent dtree or xtree metadata, the transaction log
entries can reference slots beyond the root node boundaries
(DTROOTMAXSLOT or XTROOTMAXSLOT), causing a slab-out-of-bounds write
in the subsequent memcpy.

For example, with a crafted directory inode where the dtree metadata
produces lv->offset + lv->length > DTROOTMAXSLOT (9), the memcpy in
the dtree copy loop writes 32 bytes past the dinode boundary into
adjacent slab memory.

Add bounds validation before each memcpy in both the xtree and dtree
copy loops to ensure lv->offset + lv->length does not exceed
XTROOTMAXSLOT (18) or DTROOTMAXSLOT (9) respectively.

Reported-by: syzbot+aa6df9d3b383bf5f047f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aa6df9d3b383bf5f047f
Tested-by: syzbot+aa6df9d3b383bf5f047f@syzkaller.appspotmail.com
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_imap.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index b84ba4d7dfb44..70d6a33597273 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -726,6 +726,11 @@ int diWrite(tid_t tid, struct inode *ip)
 		xp = &dp->di_xtroot;
 		lv = ilinelock->lv;
 		for (n = 0; n < ilinelock->index; n++, lv++) {
+			if (lv->offset + lv->length > XTROOTMAXSLOT) {
+				jfs_err("diWrite: xtree lv out of bounds");
+				release_metapage(mp);
+				return -EIO;
+			}
 			memcpy(&xp->xad[lv->offset], &p->xad[lv->offset],
 			       lv->length << L2XTSLOTSIZE);
 		}
@@ -750,6 +755,11 @@ int diWrite(tid_t tid, struct inode *ip)
 		xp = (dtpage_t *) & dp->di_dtroot;
 		lv = ilinelock->lv;
 		for (n = 0; n < ilinelock->index; n++, lv++) {
+			if (lv->offset + lv->length > DTROOTMAXSLOT) {
+				jfs_err("diWrite: dtree lv out of bounds");
+				release_metapage(mp);
+				return -EIO;
+			}
 			memcpy(&xp->slot[lv->offset], &p->slot[lv->offset],
 			       lv->length << L2DTSLOTSIZE);
 		}
-- 
2.47.3