| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250925025854.8061-1-pedrodemargomes@gmail.com>
Date: Wed, 24 Sep 2025 23:58:54 -0300
From: Pedro Demarchi Gomes <pedrodemargomes@...il.com>
To: shaggy@...nel.org,
duttaditya18@...il.com,
ghanshyam1898@...il.com
Cc: jfs-discussion@...ts.sourceforge.net,
linux-kernel@...r.kernel.org,
Pedro Demarchi Gomes <pedrodemargomes@...il.com>,
syzbot+13ba7f3e9a17f77250fe@...kaller.appspotmail.com
Subject: [PATCH] jfs: fix im_l2nbperiext shift out of bounds
When reading im_l2nbperiext from disk, check if its value is valid.
Since im_l2nbperiext is the log2 of a 32 bit number, its maximum value is 31.
Reported-by: syzbot+13ba7f3e9a17f77250fe@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=13ba7f3e9a17f77250fe
Signed-off-by: Pedro Demarchi Gomes <pedrodemargomes@...il.com>
---
fs/jfs/jfs_imap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index ecb8e05b8b84..6abeb78c9eb4 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -124,6 +124,10 @@ int diMount(struct inode *ipimap)
atomic_set(&imap->im_numfree, le32_to_cpu(dinom_le->in_numfree));
imap->im_nbperiext = le32_to_cpu(dinom_le->in_nbperiext);
imap->im_l2nbperiext = le32_to_cpu(dinom_le->in_l2nbperiext);
+ if (imap->im_l2nbperiext > 31) {
+ jfs_err("diMount: invalid im_l2nbperiext");
+ return -EIO;
+ }
for (index = 0; index < MAXAG; index++) {
imap->im_agctl[index].inofree =
le32_to_cpu(dinom_le->in_agctl[index].inofree);
--
2.39.5
Powered by blists - more mailing lists