From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D046917A30A
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 09:08:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776416928; cv=none; b=GVP8+ZBtPzq0+iTee4C5r4CUmOhUY406lukU++oh5kpF2jY9lsZZMMtcz5SFP1DNXCeAJuV56IulwA/OckRPW1SVDawSlAO39+QimaslU/nRC4LeOLEZMJrVEFXBMak8L3ShL8d3WO5DgqaRF3G01lSBpkzaa7MCcvnkgtncbAg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776416928; c=relaxed/simple;
	bh=MWLjSEiKIj05i17i7dtK0giYRqs6QGzcmzxjgN5Ulqc=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=OX7jkkrBOl8OgffKxL03Uru/GdBb9KF7sy1pGDK4sb5Cw8lewywT6O6bUxuNKhFnKvl8ESQMWHFOhW2kk/6J3xqFLNRgkaNfJdancjJnRGhi547HQpRKnnac0yCR2dUE6m/EJYcTnv0MKzhzUV2SP2JZ7us9h01hbxGhPiT1K0s=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-689b18091ebso1024834eaf.1
        for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 02:08:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776416926; x=1777021726;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=yOB3T1K2dW0BM/aTKbe//uFXKwfQswTr3QlUPS+nn6g=;
        b=qO61T/3af0qxhOz/5/eV2aHTUrIfUPcvkY/lg0vr1jJKAsEPY/pnDimwBUYuqmOxdS
         UVlpeWWtHjhPiHkbgqSAwgVTeqsTMYnPjYZEb7AOLAwpaWalvFkaK5G6rNbHNHHWReTn
         h7IydZQ7smeGnt37g57peyHoRrQGFYTuZ8bDTJbvZm+vJuOOs7ouEakrZVPvREpZuvy4
         j9S0+3i3ZIejvkwI7hpfK0naUx14d2FRSji7nAnWN4k0fEYbfJicvfJhLjrEWwR+mRbS
         D+ZRuV0TcucJO8xPtFO1X1AprVzF0V1R0BXRt0SV1T9orB1V7RGT7wtCEGrYNIIthf7l
         ePlg==
X-Gm-Message-State: AOJu0Yw96NXcyMm47D6iDy715W7T9re+8re6ycVZIyQJWv7Ki1bAAXwv
	z7nxhfzbqAFdOHgW+7DQaIyh/vcZa5j2en5aqCbqgIGWyi3jK4R9LjhuZTZnwEUWUfuXn0g7xjE
	rcLbeFYp5RW9MCXqfXijt9O0uAHjwJQWg8FdZGRCHpLHMAdCm1vtjud3vGhY=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:3387:10b0:683:a6e:970a with SMTP id
 006d021491bc7-6946386de83mr520692eaf.40.1776416925908; Fri, 17 Apr 2026
 02:08:45 -0700 (PDT)
Date: Fri, 17 Apr 2026 02:08:45 -0700
In-Reply-To: <68122507.050a0220.3a872c.0001.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69e1f89d.a00a0220.1cdc.0003.GAE@google.com>
Subject: Forwarded: [PATCH] jfs: validate l2nbperiext in diMount() to prevent shift-out-of-bounds
From: syzbot <syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: validate l2nbperiext in diMount() to prevent shift-out-of-bounds
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diMount() reads im_l2nbperiext and im_nbperiext directly from on-disk
metadata without validating them. A corrupted filesystem image can set
im_l2nbperiext to an arbitrarily large value, which is then used as a
shift exponent in jfs_statfs():

  maxinodes = min((s64) atomic_read(&imap->im_numinos) +
                  ((sbi->bmap->db_nfree >> imap->im_l2nbperiext)
                   << L2INOSPEREXT), (s64) 0xffffffffLL);

This triggers UBSAN shift-out-of-bounds when the exponent exceeds 63.

Add a sanity check after reading both fields in diMount() to reject
the filesystem mount if l2nbperiext is out of range or inconsistent
with nbperiext.

Reported-by: syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=13ba7f3e9a17f77250fe
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_imap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -125,6 +125,17 @@ int diMount(struct inode *ipimap)
 	imap->im_nbperiext = le32_to_cpu(dinom_le->in_nbperiext);
 	imap->im_l2nbperiext = le32_to_cpu(dinom_le->in_l2nbperiext);
+
+	if (imap->im_l2nbperiext < 0 ||
+	    imap->im_l2nbperiext > 30 ||
+	    imap->im_nbperiext != (1 << imap->im_l2nbperiext)) {
+		jfs_err("diMount: invalid imap parameters: "
+			"nbperiext(%d) l2nbperiext(%d)",
+			imap->im_nbperiext, imap->im_l2nbperiext);
+		release_metapage(mp);
+		kfree(imap);
+		return -EINVAL;
+	}
+
 	for (index = 0; index < MAXAG; index++) {
 		imap->im_agctl[index].inofree =
 		    le32_to_cpu(dinom_le->in_agctl[index].inofree);
-- 
2.43.0