From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 79245302140 for ; Fri, 17 Apr 2026 16:19:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776442786; cv=none; b=BvVJBs200J7hcxzuFd0JPu3Y+wqREaNfhxOggIrtGLiW42YUgAZ/GbDcZgbY+dGUjOw9HygVIdQJzamzSLgb8lpUP70uNs+kHmntS1ep668LJil5sE+2UknD1k2/c8QViP3fcTvg6ba/68zemnqPVQJHhl2DO2etDxCZFiA7nPQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776442786; c=relaxed/simple; bh=HdhmlrpBhexdzcBUiBjKtyfvbt0lw1WiHvBAsL6fl5k=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=VuoLdXADkDDd79TqLgJHXOycIEdT2hcFY/87N1ofETj+zNj95s0dDWHZ02TGFzk+8WrjRmC3dnQH0A7GrvkeaEzyGPQeCvbhkcYXyuIP0x1iuSXgDxdlpkdQIugK5lQg35swyhNdgh0U3aRNf6nwjXbAgYBEV/ZTpvP4iWUkFXQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-68bce98cafcso1627275eaf.0 for ; Fri, 17 Apr 2026 09:19:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776442784; x=1777047584; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cydMT45Vp7ELCf5DQTmG5pm9HPE80wCFDov+NyFtBgI=; b=nSzuPBhy5mLiGdhcx8V42o2/pkxn5gG0HveM2wYMUWbSzAb2Ienvu5T+JtiyXpo3Ht 0Ao2cx7M5cIAXoEdQrHeCn+elQ0nGkufdsiKsa6AOCUJxURI/rEOODzz9REvxKMUxOo9 HhCeQ8sL9ZZ3AWKQn/9Q8L3g38be96jZ8HztWikjEeSzkf70VfeIrCltj1sMasVf8T+4 6hVLCYT54DL4jie+oX2luPB9Gc6+hbcQqRhoPoPHGS0lnB9+TRTqg8r3HzqRUo6YPo9X G8PKylITOguzzhwOFjAzVzLZtluRntU3qPP2fwZUk7Z2WkN4ScMtQ/i8JihBMCYy2JEj anSg== X-Gm-Message-State: AOJu0Yzs+p/kSJ/5q0/U7UGbvRXKw0UvE1TaqWsHyWKD6OdwHeBTdGu6 4gGRV2J+DIQW/k4eJD6EKm9OeW+H0Y4Oodky3nwSJDXJhbV6Om3Hac4C2H4iCVZVf5oXzY5FFLc iHBANrEx4KKCG1GZxOjRjRQxW4ZJScSgOMOULIreGcCPPkNRgzZzlo2+2whc= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:1384:b0:688:2480:7fa8 with SMTP id 006d021491bc7-69462e56a42mr2006355eaf.21.1776442784573; Fri, 17 Apr 2026 09:19:44 -0700 (PDT) Date: Fri, 17 Apr 2026 09:19:44 -0700 In-Reply-To: <68122507.050a0220.3a872c.0001.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69e25da0.a00a0220.1bd0ca.0007.GAE@google.com> Subject: Forwarded: Re: [syzbot] UBSAN: shift-out-of-bounds in jfs_statfs From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in jfs_statfs Author: tristmd@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >>From 88957226783011487a1627b69a6295cb9aa7e5ac Mon Sep 17 00:00:00 2001 From: Tristan Madani Date: Fri, 17 Apr 2026 16:15:13 +0000 Subject: [PATCH] jfs: validate l2nbperiext in diMount() to prevent shift-out-of-bounds A corrupted filesystem image can set im_l2nbperiext to an arbitrary value. When this value exceeds the width of an integer type, a shift operation using it triggers UBSAN shift-out-of-bounds. Add validation in diMount() to reject im_l2nbperiext values that are negative, exceed 30, or are inconsistent with im_nbperiext. Reported-by: syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=13ba7f3e9a17f77250fe Signed-off-by: Tristan Madani --- fs/jfs/jfs_imap.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index b84ba4d..eafbd2b 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -124,6 +124,18 @@ int diMount(struct inode *ipimap) atomic_set(&imap->im_numfree, le32_to_cpu(dinom_le->in_numfree)); imap->im_nbperiext = le32_to_cpu(dinom_le->in_nbperiext); imap->im_l2nbperiext = le32_to_cpu(dinom_le->in_l2nbperiext); + + if (imap->im_l2nbperiext < 0 || + imap->im_l2nbperiext > 30 || + imap->im_nbperiext != (1 << imap->im_l2nbperiext)) { + jfs_err("diMount: invalid imap parameters: " + "nbperiext(%d) l2nbperiext(%d)", + imap->im_nbperiext, imap->im_l2nbperiext); + release_metapage(mp); + kfree(imap); + return -EINVAL; + } + for (index = 0; index < MAXAG; index++) { imap->im_agctl[index].inofree = le32_to_cpu(dinom_le->in_agctl[index].inofree); -- 2.47.3