lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251118164645.67401-1-jkoolstra@xs4all.nl>
Date: Tue, 18 Nov 2025 17:46:45 +0100
From: Jori Koolstra <jkoolstra@...all.nl>
To: brauner@...nel.org,
	gabriel@...sman.be,
	jlayton@...nel.org,
	neil@...wn.name,
	shaggy@...nel.org,
	viro@...iv.linux.org.uk
Cc: jkoolstra@...all.nl,
	jfs-discussion@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	syzbot+cd7590567cc388f064f3@...kaller.appspotmail.com,
	skhan@...uxfoundation.org
Subject: [PATCH] dtInsertEntry can result in buffer overflow on corrupted jfs filesystems

Below syzbot bug has not been fixed yet. If anyone has time I would
greatly appreciate a review of my patch, so it can be moved along.
It has been sitting for a few weeks.

Thanks,
Jori.

Apologies for the resend, I messed up the email headers.

> Op 29-10-2025 00:23 CET schreef Jori Koolstra <jkoolstra@...all.nl>:
> 
>  
> Syzbot reported a general protection fault in inode_set_ctime_current.
> This resulted from the following circumstances: when creating a new file
> via dtInsert, BT_GETSEARCH may yield a pointer to a dtroot which is
> embedded directly in the jfs_inode_info. When finally dtInsertEntry is
> called, if the freelist field or any next field of a slot of the dtpage
> is corrupted, this may result in memory corruption of the parent
> directory inode.
> 
> In this case the i_sb field was corrupted, which raised the gpf when
> in inode_set_ctime_current i_sb was dereferenced to access s_time_gran.
> 
> I tested the patch using the syzbot reproducer and doing some basic
> filesystem operations on a fresh jfs fs, such as "cp -r /usr/include/
> /mnt/jfs/" and "rm -r /mnt/jfs/include/n*"
> 
> Signed-off-by: Jori Koolstra <jkoolstra@...all.nl>
> Reported-by: syzbot+cd7590567cc388f064f3@...kaller.appspotmail.com
> Closes: https://syzbot.org/bug?extid=cd7590567cc388f064f3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ