From nobody Sat Feb 7 15:11:42 2026 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E516350287 for ; Thu, 22 Jan 2026 01:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769045185; cv=none; b=gYUvbjX4ise2DOHlED5YNNAAuXlq7qekCGrApwpkxE240pWdqhB6a/TN2Eln3DWte45XPAfDwFoKUiQvInfOm3G7h/V/CCQCDOvettGe0Ph2IeVSs+pC2/jkDJK0+DSIdB7qKO47AP0dE1gTIRGc9JUWSvx9nlqxl+x2+z/iIv0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769045185; c=relaxed/simple; bh=nFfmVdhY3nJnMpiE4l0CiZEI2VRl2Wv0ZYvwDJt4FYI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jQAO/aWm2YmXZ68OfB5GG5tpFyYQBobWUHhAnjelxIfmipiX/w8blO/DhqZ+abVfDV7Ipxf12b3ruR3dwlqBrP9xecDOEkwJ9pEc72EGRCmIMRZty8QZ/soWD7c6ogDm/DJVDs7Cu8zp8LNC7mjSVYOpIXrMSdsS5N65qRPxw88= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mvKK/iHs; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mvKK/iHs" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-34c7d0c5ddaso265711a91.0 for ; Wed, 21 Jan 2026 17:26:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769045179; x=1769649979; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dUSv8YHIJjxsXrtxcCX+JA8SGYZsDqSqraKizssPYoQ=; b=mvKK/iHsGwqdMBH90vp+v2mjaPkfzVDSJEfgsz8lk0k/rm5OyP5PLIpwvrRgtP6q1a n+KPCKDrda0kKB4H5sneX9uOJJVKgsrvSQQIAbBH+RUfRLNZ8CskoGdAVDjbwY4oC58f QQDV18OOcT95NVpLRWYgCYlj/JGbSPWBFYBvwkBgNb8iwIhkHDeQbtc+WMo/X8Vj5cL1 1JSxB44eEZVGkoeoZTiRP2q85Wf3oeqAjDHt5kCXPPTS51KA0rtpTC4UW6JJc07mlpnv tQ2yQxbvUJZtqp5ByGJxPI69Pk2nYsul4SEYG2fsAlVeI8HSWvh2FD77wA5Mcw28fSHO cv/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769045179; x=1769649979; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dUSv8YHIJjxsXrtxcCX+JA8SGYZsDqSqraKizssPYoQ=; b=U4A3ZRzz1uGa96qH2OFPlXNR0zqU/hYDEItoJv2IrgIgOmvQJgeQmBRFgiZfN0Qsoy QIZptgjpNluguNrjeBANj1YALAI26FzKs/fxZCartCiTzR9n1I3+CDRPorshWso8+t1M kaYmCm9r3BTPMtCBl78pDIDVTHwrsRQnm8L5LB+Nj/Fnso8Kz9v/8t6CBOfY2COl7Xl3 mfTg7jD/e95GLPlzryxCrCS5fc18OYoWOIO2JqHslkvYlwleoAcRba+gc8MgatWjTblW KmBywmSJBv6S/h7g8rO62hqrsdLrcyZqRnnFZGKvu6m3BNCJS5PYqGDLRIxbAPOSO+SB Cc8g== X-Forwarded-Encrypted: i=1; AJvYcCXNOHsCE+HnKmoZR85PoP76QdoDM6pOwJROjj/3Y2mdirpRQ58WcmesEq79of8djnG6Po2JajUVMzkYLek=@vger.kernel.org X-Gm-Message-State: AOJu0Yxf/+OvuskrmFDKmoOvXGd8cO7IBYklUFsohEgaPd5Bw1BUg3+e 1nTB8I3vBmKeihez+8JJw8OwZz3trOnevkEV01E6nH4rGauQN0jet+g= X-Gm-Gg: AZuq6aLuPNYwISPxgOh2xNr5lcavaEbEotGPKsr5N58vhNN1Aq0FBmJeKAcTtfQ4Y6d AGuE/L36mq0QEFXHVB9zFD4YXDvMfKgEl8pUOXlN1RYKKrSt2sJwoQtwgmtiZYdLiOxLtohRY3L uTItRDI2Sz8XobKFyxg6lD4Hw22Zj8p6WHpFW55nF/kmdt1ft/DusA9ugqgJp4LeArF6SHfHlln NbJg0dyUWBNAn6GJX34AFJPHN6LInKIlP5I1CuNe2Kywx/puT/Q6LGs93i+jlYvnIhSOMdosuRY iojVBmO1D2XR3UYoUfcD/g4Dm4571GoLhUql+q5OatcFrcvMUjCG+cvwBvDAB65ytfZBwz/YjIF wNaP6eZKhNesWFJ06vUXtxG7WLRPM5ahvpko02S1MrXA/pF/PZ+6T129NroF4qQ2BKuoKvq3SPl bGizYSdsK/+oeAQOw= X-Received: by 2002:a17:90b:574b:b0:343:6a63:85d5 with SMTP id 98e67ed59e1d1-353354d691bmr988240a91.16.1769045178799; Wed, 21 Jan 2026 17:26:18 -0800 (PST) Received: from DESKTOP-BKIPFGN ([38.76.140.13]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-353354cdcc7sm635105a91.16.2026.01.21.17.26.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Jan 2026 17:26:18 -0800 (PST) From: Kery Qi To: shaggy@kernel.org Cc: dmantipov@yandex.ru, eadavis@qq.com, quic_zhonhan@quicinc.com, jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] jfs: fix array-index-out-of-bounds in diExtendFS Date: Thu, 22 Jan 2026 09:25:42 +0800 Message-ID: <20260122012541.1927-2-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Similar to the issue fixed in commit 49f9637aafa6 ("jfs: fix array-index-out-of-bounds in diNewExt"), the diExtendFS() function also lacks validation for the AG (allocation group) number. In diExtendFS(), the variable 'n' is computed from iagp->agstart which is read from disk. If agstart contains a malicious or corrupted value, 'n' may exceed the bounds of the im_agctl[] array (size MAXAG), leading to an out-of-bounds access. Add a boundary check for 'n' after computation to ensure it falls within the valid range [0, MAXAG). If the check fails, release the metapage and return -EIO. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kery Qi --- fs/jfs/jfs_imap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index ecb8e05b8b84..24b414bffd29 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -2900,6 +2900,11 @@ int diExtendFS(struct inode *ipimap, struct inode *i= pbmap) =20 agstart =3D le64_to_cpu(iagp->agstart); n =3D agstart >> mp->db_agl2size; + if (n < 0 || n >=3D MAXAG) { + release_metapage(bp); + jfs_error(ipimap->i_sb, "invalid AG number\n"); + return -EIO; + } iagp->agstart =3D cpu_to_le64((s64)n << mp->db_agl2size); =20 /* compute backed inodes */ --=20 2.34.1