lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <tencent_C9EB8AEFD2CCF0793A6CD02EB56DE4952C0A@qq.com>
Date: Sun,  7 Dec 2025 11:52:57 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+fa603ae6b02658401ca7@...kaller.appspotmail.com
Cc: jfs-discussion@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	shaggy@...nel.org,
	syzkaller-bugs@...glegroups.com
Subject: [PATCH] jfs: Add a sanity check for budmin

In a corrupted file system image, the budmin value is less than 0,
which causes the lazycommit thread to report an out-of-bounds error
when retrieving the buddy size in dbJoin [1].

Add a check for potentially negative budmin to avoid the problem in [1].

[1]
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
Call Trace:
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734

Reported-by: syzbot+fa603ae6b02658401ca7@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Tested-by: syzbot+fa603ae6b02658401ca7@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 fs/jfs/jfs_dmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..8f8084756e32 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ