diff options
| author | Liu Shixin via Jfs-discussion <jfs-discussion@lists.sourceforge.net> | 2022-11-03 11:01:59 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-03-11 16:44:07 +0100 |
| commit | 62462a5b4f4dbb3bc1c9d22b537164a441fdb058 (patch) | |
| tree | 2aeda251dca6a5a1cce3327b1332a6093d1f0dcd /fs | |
| parent | 7a6fb69bbcb21e9ce13bdf18c008c268874f0480 (diff) | |
| download | linux-62462a5b4f4dbb3bc1c9d22b537164a441fdb058.tar.gz linux-62462a5b4f4dbb3bc1c9d22b537164a441fdb058.tar.bz2 linux-62462a5b4f4dbb3bc1c9d22b537164a441fdb058.zip | |
fs/jfs: fix shift exponent db_agl2size negative
[ Upstream commit fad376fce0af58deebc5075b8539dc05bf639af3 ]
As a shift exponent, db_agl2size can not be less than 0. Add the missing
check to fix the shift-out-of-bounds bug reported by syzkaller:
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15
shift exponent -744642816 is negative
Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/jfs/jfs_dmap.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index aa4643854f94..cc1fed285b2d 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -193,7 +193,8 @@ int dbMount(struct inode *ipbmap) bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); - if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { + if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || + bmp->db_agl2size < 0) { err = -EINVAL; goto err_release_metapage; } |