From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com [209.85.210.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00E843AF654 for ; Fri, 17 Apr 2026 10:12:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.69 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776420728; cv=none; b=XA1t/nCK6vTJFYguNGjOGuAhnyltWBFaGyb9Cm85q7q8BPouHo8i5pJffbA1Gc/Ykvfb/ivsCvxWV2Rk2X8QvvtTyO4yqgSoTYdTsIITRQFdxp/oYIW5hD628xHZvmnTCiEjR951Bc+TMflAChxdX6t8MiAXYTHqGPdtlynBzjc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776420728; c=relaxed/simple; bh=GWAm+9R/RV9ni/QhfaywArt7HdXmi96Fe+Fv5qAIiG4=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=PMO4EwvtRRi08zrd7AGxPhxU2WkQn5i7o+AVpNNQFWpNSq95giL/3ButkwhcBzjF3+1PbJmKxqoHnntlAZI1Cewb7t67ghebl1JzWLxiu7ZNpp+pY+a3yebq/QWobBS8oPqjR+dSDtoxhKzYz0kHc82YmwJO/alRDPrLFn+sCM4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f69.google.com with SMTP id 46e09a7af769-7dc41904354so1080659a34.0 for ; Fri, 17 Apr 2026 03:12:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776420726; x=1777025526; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4LZHu99bKzfpDR1eQMZ+mWE1F2GTO+40SOrUwAxkBz8=; b=jj358m3eVf4+pKWH5VihnxTBqROwq4ODAQNOE7K4Gtn5a6K51mUW/gqqE1h9f7jtZa kayoaZP/V57GG9ZVJX0p2LN6PObSP98vJT9ZDaslHs7SmcELjH0oXVoOQjDphVgjsiXD HDy6kMqE2nB7+P5UTfQlAqiHRftdQAskY3Ib6I1IQm7LUma301KP6MRT1foosRAnHLzI E8gi1heBeWmpXkxChLNkEIqmtGV5oL19CE+mhnBiV4XyogQ50k/zFFkOQrleb84xssHU ierdQdsprSED/pKXrmJ5xnQqdwzu/2thJjV/2RO29PbizvqXgbvDLHO5Olv2p4zBRKMu YV3g== X-Gm-Message-State: AOJu0Yz0FRhWv26NchTJTdnuIdYf0BSZViRxgTVN4YtyPX2/luWfKI8y 3GbOWa6jWSMaWgL3UikCTWomYY9mWoWHrX39QenJdoocyeXOg+HW3lDvnboqjH6cjFpZ/ifHNvI TeQk1sv8u4Gh9ISwYRtqPpMF5n2mHVgQsKDRc4Kz5MMs41VQTr5WoR80aOfg= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:438b:b0:688:29ff:2de2 with SMTP id 006d021491bc7-69462e2bf7cmr761185eaf.11.1776420725909; Fri, 17 Apr 2026 03:12:05 -0700 (PDT) Date: Fri, 17 Apr 2026 03:12:05 -0700 In-Reply-To: <68f1c794.a00a0220.361615.000f.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69e20775.050a0220.6979.0004.GAE@google.com> Subject: Forwarded: [PATCH] jfs: validate budmin from dmapctl to prevent shift-out-of-bounds From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] jfs: validate budmin from dmapctl to prevent shift-out-of-bounds Author: tristmd@gmail.com From: Tristan Madani #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master dbAllocAG() reads budmin directly from an on-disk dmapctl page and uses it as a shift amount: blkno += ((s64)(ti - le32_to_cpu(dcp->leafidx))) << budmin; When the filesystem image is corrupted, budmin (an s8) can be negative, causing a UBSAN shift-out-of-bounds splat with "shift exponent -1 is negative". The existing mount-time validation in dbMount() (commit 7c4af96b24a6) covers db_agheight/db_agwidth/db_agstart but not budmin in individual dmapctl pages, since those are read at allocation time, not at mount. Fix this by validating budmin immediately after reading it from the dmapctl page. A valid budmin for a dmapctl page must be in the range [L2BPERDMAP, L2MAXL2SIZE] (i.e. [13, 43]). Reject pages outside this range as corrupt. The same pattern exists in dbFindCtl() which also reads budmin from dmapctl pages and uses it as a shift; add the validation there too. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani --- fs/jfs/jfs_dmap.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 35e063c9f3a4..a1b2c3d4e5f6 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -1373,6 +1373,13 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results) dcp = (struct dmapctl *) mp->data; budmin = dcp->budmin; + if (budmin < L2BPERDMAP || budmin > L2MAXL2SIZE) { + jfs_error(bmp->db_ipbmap->i_sb, + "Corrupt dmapctl budmin %d\n", budmin); + release_metapage(mp); + return -EIO; + } + if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) { jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); release_metapage(mp); @@ -1703,6 +1710,13 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno) dcp = (struct dmapctl *) mp->data; budmin = dcp->budmin; + if (budmin < L2BPERDMAP || budmin > L2MAXL2SIZE) { + jfs_error(bmp->db_ipbmap->i_sb, + "Corrupt dmapctl budmin %d\n", budmin); + release_metapage(mp); + return -EIO; + } + if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) { jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); -- 2.39.2