diff options
| author | Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net> | 2022-11-03 11:01:59 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-03-11 16:26:50 +0100 |
| commit | 668a1a9868c3bf2f885e78257a9bd0017ea2fa6d (patch) | |
| tree | 2f7881543410a9bc0f2e43f6c74e475898d9d9d9 | |
| parent | 53af9c793f644d5841d84d8e0ad83bd7ab47f3e0 (diff) | |
| download | linux-668a1a9868c3bf2f885e78257a9bd0017ea2fa6d.tar.gz linux-668a1a9868c3bf2f885e78257a9bd0017ea2fa6d.tar.bz2 linux-668a1a9868c3bf2f885e78257a9bd0017ea2fa6d.zip | |
fs/jfs: fix shift exponent db_agl2size negative
[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]
As a shift exponent, db_agl2size can not be less than 0. Add the missing
check to fix the shift-out-of-bounds bug reported by syzkaller:
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
shift exponent -744642816 is negative
Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | fs/jfs/jfs_dmap.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 0ca1ad2610df..6a0f564e58dd 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -206,7 +206,8 @@ int dbMount(struct inode *ipbmap) bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); - if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { + if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || + bmp->db_agl2size < 0) { err = -EINVAL; goto err_release_metapage; } |