From nobody Mon Feb  9 07:35:56 2026
Received: from forward103d.mail.yandex.net (forward103d.mail.yandex.net
 [178.154.239.214])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0349311588
	for <linux-kernel@vger.kernel.org>; Mon, 12 Jan 2026 12:22:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=178.154.239.214
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768220551; cv=none;
 b=HTDJzNg0OkBkdyNJSfBB7oAio1UjUt96Rmwf7PLkN6F27DDiGqiAWJLo7ZddGIQuC20/2Q/4rDzYI8v7ddis4mehnLu3Mbrn1nb+mIc65YJgAnE8qUoDdrTSRVwAMX7/3f0MvSY2LucugRrbOfn27y22dlf8GHbP6/2zm3UtmqQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768220551; c=relaxed/simple;
	bh=4i6PakX7IJ9rnu8xBoJ9u1ncWGARlo2mDQZtA6AQ/hs=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gRnYjUa7HG6BD1V1sqMGsyZp6cf5ynYow4iDpZ21OCmpdl1aJ8QSKkGcFfcV8n1Y0aclF5ywjAUwfqTvOOCMTCINdmi6R0GPUNS28Fzdz7cBEwC9RH/0T3fJb2XHNXA574OyWCKqY7ViUc5ATw+1U4NXJQeNtEc/hs4Adbdm3+I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=yandex.ru;
 spf=pass smtp.mailfrom=yandex.ru;
 dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru
 header.b=R10VWclD; arc=none smtp.client-ip=178.154.239.214
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=yandex.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=yandex.ru
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru
 header.b="R10VWclD"
Received: from mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
 (mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
 [IPv6:2a02:6b8:c0c:41d:0:640:8e35:0])
	by forward103d.mail.yandex.net (Yandex) with ESMTPS id 88CBDC4965;
	Mon, 12 Jan 2026 15:22:18 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
 (smtp/Yandex) with ESMTPSA id FMRTNaLGAOs0-dI5NwXRk;
	Mon, 12 Jan 2026 15:22:18 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
	t=1768220538; bh=93Qi5jWRQzc3Y292YbuuVHlL8GtgAckLhC98Vj00Zns=;
	h=Message-ID:Date:Cc:Subject:To:From;
	b=R10VWclDhOvX/n3HLy6JzHrr1NaybQzurVlgtl6mRTJGjjUI38ldLhj8Bn7U9yWDu
	 Wjl64EWrVwGQ0AZbI3a4OQ9kb65HcOnwSwVwCvvQ58Uvwzz/dS/4Ol8jEV1eYWHWoB
	 B51mje1YuO/3QDU4oozIMzlk1sC7ISdDO4Q1Hw6w=
Authentication-Results: 
 mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net;
 dkim=pass header.i=@yandex.ru
From: Vadim Havkin <xqzmiplz@yandex.ru>
To: shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] jfs: fix slab-out-of-bounds read in dtSearch
Date: Mon, 12 Jan 2026 15:22:12 +0300
Message-ID: <20260112122212.7133-1-xqzmiplz@yandex.ru>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Syzkaller reported a slab-out-of-bounds read in dtSearch. This occurs
when the driver attempts to access the slot array using an index read
from the stbl (sorted table) without validation.

When working with an inline directory (bn =3D=3D 0), the p pointer refers
to the dtroot_t structure embedded in jfs_inode_info. This buffer can
hold DTROOTMAXSLOT slots. However, the pointer is cast to (dtpage_t *),
which corresponds to a full page (DTPAGEMAXSLOT slots). If a corrupted
image contains an index in stbl greater than or equal to DTROOTMAXSLOT,
the driver calculates an address outside the allocated slab object.

BUG: KASAN: slab-out-of-bounds in dtSearch+0x21fd/0x2270 fs/jfs/jfs_dtree.c=
:645
Read of size 1 at addr ffff88810d94b5d4 by task syz-executor107/859
Call Trace:
 <TASK>
 kasan_report+0xb9/0xf0
 dtSearch+0x21fd/0x2270
 jfs_lookup+0x180/0x340
 lookup_open.isra.0+0x7a7/0x1430
 path_openat+0xcc0/0x2960
 do_filp_open+0x1c3/0x410
 do_sys_openat2+0x164/0x1d0
 __x64_sys_openat+0x13c/0x1f0
 </TASK>

Add a check to ensure that the index read from stbl is valid.
For the inline root (bn =3D=3D 0), the index must be strictly less than
DTROOTMAXSLOT. Note that stbl values are type s8, so they cannot
exceed the external page limit (DTPAGEMAXSLOT =3D 128).

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Vadim Havkin <xqzmiplz@yandex.ru>
---
 fs/jfs/jfs_dtree.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 93db6eec4465..d2bdadaf4672 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -634,7 +634,8 @@ int dtSearch(struct inode *ip, struct component_name * =
key, ino_t * data,
 		for (base =3D 0, lim =3D p->header.nextindex; lim; lim >>=3D 1) {
 			index =3D base + (lim >> 1);
=20
-			if (stbl[index] < 0) {
+			if (stbl[index] < 0 ||
+			    (bn =3D=3D 0 && stbl[index] >=3D DTROOTMAXSLOT)) {
 				rc =3D -EIO;
 				goto out;
 			}
--=20
2.43.0