Commit 62462a5b authored Nov 03, 2022 by Liu Shixin via Jfs-discussion Committed by Greg Kroah-Hartman Mar 11, 2023

fs/jfs: fix shift exponent db_agl2size negative



[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]

As a shift exponent, db_agl2size can not be less than 0. Add the missing
check to fix the shift-out-of-bounds bug reported by syzkaller:

 UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
 shift exponent -744642816 is negative

Reported-by:  <syzbot+0be96567042453c0c820@syzkaller.appspotmail.com>
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 7a6fb69b

fs/jfs/jfs_dmap.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -193,7 +193,8 @@ int dbMount(struct inode *ipbmap)
		bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
		bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
		bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
		if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
		if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG \|\|
		bmp->db_agl2size < 0) {
		err = -EINVAL;
		goto err_release_metapage;
		}