lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251225182852.508200-1-swilczek.lx@gmail.com>
Date: Thu, 25 Dec 2025 19:28:52 +0100
From: Szymon Wilczek <swilczek.lx@...il.com>
To: shaggy@...nel.org
Cc: jfs-discussion@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	syzbot+a939a1121380d3212940@...kaller.appspotmail.com,
	Szymon Wilczek <swilczek.lx@...il.com>
Subject: [PATCH] jfs: fix array-index-out-of-bounds in dtSplitPage

The dtSplitPage function creates a new struct dt_lock (which wraps
struct linelock) using txLinelock. txLinelock initializes the
linelock with maxcnt = TLOCKLONG.

However, struct linelock defines the lv array with size 20, while
TLOCKLONG is 28. This leads to a mismatch where maxcnt allows indexing
beyond the defined array size.

This causes an array-index-out-of-bounds error when dtSplitPage or
dtMoveEntry accesses indices between 20 and 27.

Fix this by using TLOCKLONG for the lv array size in struct
linelock. This ensures the structure definition matches the maximum
possible index used in the code.

The size of struct linelock increases from 48 bytes to 64 bytes, but
this fits safely within the 72-byte struct tlock allocation path used
by txLinelock. For the txLock path (where linelock overlays
tlock.lock[]), the code explicitly sets maxcnt = TLOCKSHORT (20), so
access remains within the safe 48-byte limit.

Reported-by: syzbot+a939a1121380d3212940@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a939a1121380d3212940
Signed-off-by: Szymon Wilczek <swilczek.lx@...il.com>
---
 fs/jfs/jfs_txnmgr.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h
index ba71eb5ced56..04eac3850ff0 100644
--- a/fs/jfs/jfs_txnmgr.h
+++ b/fs/jfs/jfs_txnmgr.h
@@ -165,8 +165,8 @@ struct linelock {
 	u8 l2linesize;		/* 1: log2 of linesize */
 	/* (8) */
 
-	struct lv lv[20];	/* 40: */
-};				/* (48) */
+	struct lv lv[TLOCKLONG];	/* 56: */
+};				/* (64) */
 
 #define dt_lock	linelock
 
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ