[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250403190408.2676344-20-sashal@kernel.org>
Date: Thu, 3 Apr 2025 15:03:39 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Cc: Rand Deeb <rand.sec96@...il.com>,
Dave Kleikamp <dave.kleikamp@...cle.com>,
Sasha Levin <sashal@...nel.org>,
shaggy@...nel.org,
eadavis@...com,
rbrasga@....edu,
aha310510@...il.com,
peili.dev@...il.com,
niharchaithanya@...il.com,
ghanshyam1898@...il.com,
jfs-discussion@...ts.sourceforge.net
Subject: [PATCH AUTOSEL 6.13 20/49] fs/jfs: Prevent integer overflow in AG size calculation
From: Rand Deeb <rand.sec96@...il.com>
[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ]
The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.
On 32-bit architectures:
- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
- This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
- Subsequent block allocations would reference invalid AG structures
- Could lead to:
- Filesystem corruption during extend operations
- Kernel crashes due to invalid memory accesses
- Security vulnerabilities via malformed on-disk structures
Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;
This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@...il.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@...cle.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
fs/jfs/jfs_dmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index f89f07c9580ea..9ac1fc2ed05bc 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3403,7 +3403,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks)
oldl2agsize = bmp->db_agl2size;
bmp->db_agl2size = l2agsize;
- bmp->db_agsize = 1 << l2agsize;
+ bmp->db_agsize = (s64)1 << l2agsize;
/* compute new number of AG */
agno = bmp->db_numag;
--
2.39.5
Powered by blists - more mailing lists