lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <40db68fc-a5a3-4bb2-abc5-b93ee2429602@oracle.com>
Date: Mon, 1 Dec 2025 16:35:49 -0600
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Jori Koolstra <jkoolstra@...all.nl>, brauner@...nel.org,
        gabriel@...sman.be, jlayton@...nel.org, neil@...wn.name,
        viro@...iv.linux.org.uk
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        syzbot+cd7590567cc388f064f3@...kaller.appspotmail.com,
        skhan@...uxfoundation.org
Subject: Re: [PATCH] jfs: dtInsertEntry can result in buffer overflow on
 corrupted jfs filesystems

On 12/1/25 7:20AM, Jori Koolstra wrote:
> Below syzbot bug has not been fixed yet. If anyone has time I would
> greatly appreciate a review of my patch, so it can be moved along.
> It has been sitting for quite a few weeks.

I've been busy with some other work as well as being out on vacation 
lately. I have several patches to review, but have not forgotten this. 
I'll try to get to it later this week.

Thanks,
Shaggy

> 
> Thanks,
> Jori.
> 
>> Op 29-10-2025 00:23 CET schreef Jori Koolstra <jkoolstra@...all.nl>:
>>
>>   
>> Syzbot reported a general protection fault in inode_set_ctime_current.
>> This resulted from the following circumstances: when creating a new file
>> via dtInsert, BT_GETSEARCH may yield a pointer to a dtroot which is
>> embedded directly in the jfs_inode_info. When finally dtInsertEntry is
>> called, if the freelist field or any next field of a slot of the dtpage
>> is corrupted, this may result in memory corruption of the parent
>> directory inode.
>>
>> In this case the i_sb field was corrupted, which raised the gpf when
>> in inode_set_ctime_current i_sb was dereferenced to access s_time_gran.
>>
>> I tested the patch using the syzbot reproducer and doing some basic
>> filesystem operations on a fresh jfs fs, such as "cp -r /usr/include/
>> /mnt/jfs/" and "rm -r /mnt/jfs/include/n*"
>>
>> Signed-off-by: Jori Koolstra <jkoolstra@...all.nl>
>> Reported-by: syzbot+cd7590567cc388f064f3@...kaller.appspotmail.com
>> Closes: https://syzbot.org/bug?extid=cd7590567cc388f064f3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ