From nobody Mon Feb 9 03:46:57 2026 Received: from mail.crpt.ru (mail.crpt.ru [91.236.205.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99E0E381AF for ; Fri, 6 Feb 2026 08:02:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.236.205.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770364947; cv=none; b=VMznaDel4fU4h6pCd4mORtFxLNFZKm9nRRm7rGKyM4NkVUiCpIwvVdC7H8ugO/GjS/NHywUSerhEeoUUcBuQjdEaAdvyXIGQYbsctPsXrigjiEy3xw319iFeDOfcaLAQe8e9u+zWcHWm9D/uIUsacALl7D898W8oI/kS+ov8fOg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770364947; c=relaxed/simple; bh=bRdG1rqoQDqNKT9iVS+nw300IWA9jLgDrqwyhjd3gIg=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Pjj0KxwUjx17cs/18EKzDNNIPWDytOL9nGxgTB6RwXIRMz05IPf7tKvERpaUiwjrc35F8I933NpNb8xDMAFOrby4Foq+m+gLlazTrDFsxLknBcAIixNNnvkiGzf3r8f0TelONCm1XpvUBJ9SbcCvBBCs+cOQmQSP0Y0wPDbk/8w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=crpt.ru; spf=pass smtp.mailfrom=crpt.ru; dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru header.b=shbMugGD; arc=none smtp.client-ip=91.236.205.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=crpt.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crpt.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru header.b="shbMugGD" Received: from ssp-soft.crpt.local ([10.200.60.21]) (user=ssp.nesin@crpt.ru mech=LOGIN bits=0) by mail.crpt.ru with ESMTPSA id 61681f34014601-61681f37014601 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 Feb 2026 11:01:56 +0300 From: Rostislav Nesin To: Dave Kleikamp Cc: Rostislav Nesin , Roman Smirnov , Zheng Yu , Aditya Dutt , jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, syzbot+8fe3b9efc02bf2d0b458@syzkaller.appspotmail.com Subject: [PATCH] jfs: fix out-of-bounds access in jfs_readdir Date: Fri, 6 Feb 2026 15:01:18 +0700 Message-Id: <20260206080118.923439-1-ssp.nesin@crpt.ru> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FEAS-Auth-User: ssp.nesin@crpt.ru X-FEAS-BEC-Info: WlpIGw0aAQkEARIJHAEHBlJSCRoLAAEeDUhZUEhYSFhIWUhZXkguLVxYWC48UVlRWFhYWVxaSFlfSBsbGEYGDRsBBigLGhgcRhodSFlIWV9IGxsYRgYNGwEGKAsaGBxGGh1IWUhZSFlaSFlYRlpYWEZeWEZaWUhQSFhIWEhRSFhIWEhYSFpaSAwdHBwJDAEcEQlZUCgPBQkBBEYLBwVIWEhbXkgCDhtFDAEbCx0bGwEHBigEARscG0YbBx0aCw0OBxoPDUYGDRxIWEhaUEgEAQYdEEUDDRoGDQQoHg8NGkYDDRoGDQRGBxoPSFhIWlBIBB4LRRgaBwINCxwoBAEGHRAcDRscAQYPRgcaD0hYSFleSBpGGwUBGgYHHigHBRhGGh1IWEhZX0gbAAkPDxEoAw0aBg0ERgcaD0hYSFlfSBsbGEYGDRsBBigLGhgcRhodSFlIXVtIGxESCgccQ1AODVsKUQ0OC1haCg5aDFgKXF1QKBsREgMJBAQNGkYJGBgbGAccBQkBBEYLBwVIWEhaXUgSAA0GD0YRHSgGBxocAB8NGxwNGgZGDQwdSFg= X-FEAS-Client-IP: 10.200.60.21 X-FE-Envelope-From: ssp.nesin@crpt.ru X-FE-Policy-ID: 0:9:0:SYSTEM DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=crpt.ru; s=crpt.ru; c=relaxed/relaxed; h=from:to:cc:subject:date:message-id:mime-version; bh=WgrnN2NOrIMIViNK8+v7WkDYFXLAtsuE4CP9tAe+G8U=; b=shbMugGDPs8zdx//5Co0jHYUHMSTabqXoq/Hnpv7JrgcNLidV4pjQ/sBgF1chaMWNxbuAuAGL1mM NeRDFlQXXFab/3jw3uxXO4zi7wv81eWZLUnGIfuLdFqMvpz7z51UgSfQjV8Pj68DyByKOt1UJe4c 6rddHDb49jNm0qWc/2L5ppdgZWIBs3LVEPkgCOq77qgeFuLR2C7n7I57V9TIpXmeyv7WMjTSiMuI bDk0gFYMk9GJhLKugauybFOJ98y7R1I4PN4YMd0A63P4t3ZWiOV99Pb7WBzh1yfdrG/qgWaJvhu+ gJIt/+E0USi57o+d2MchhpFDGVosT2EG4monqQ== Content-Type: text/plain; charset="utf-8" In jfs_readdir(), the stbl slot index validation uses a maximum value of DTPAGEMAXSLOT (128). However, for root directory pages (bn =3D=3D 0) the maximum valid slot index is DTROOTMAXSLOT (9), not DTPAGEMAXSLOT (128). This allows slot indices 9-127 to pass validation on root pages, leading to out-of-bounds access when reading from p->slot[]. Similarly, the 'next' slot index in the directory entry name segment chain is not validated. The 'next' field in struct ldtentry and struct dtslot is read directly from disk (s8 next), and a corrupted filesystem image could contain any value, causing out-of-bounds access when following the segment chain via p->slot[next]. BUG: KASAN: slab-out-of-bounds in jfs_strfromUCS_le+0x28d/0x3b0 fs/jfs/jfs_= unicode.c:40 Read of size 2 at addr ffff88807a187f72 by task syz.0.6/5913 CPU: 1 UID: 0 PID: 5913 Comm: syz.0.6 Not tainted 6.13.0-rc5-syzkaller-0001= 2-g0bc21e701a6f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 jfs_strfromUCS_le+0x28d/0x3b0 fs/jfs/jfs_unicode.c:40 jfs_readdir+0x199d/0x3c50 fs/jfs/jfs_dtree.c:2975 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65 iterate_dir+0x571/0x800 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:403 [inline] __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by validating stbl[i] and next against DTROOTMAXSLOT for root directory pages (bn =3D=3D 0). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8fe3b9efc02bf2d0b458@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D8fe3b9efc02bf2d0b458 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Rostislav Nesin --- This patch is prepared on top of the jfs-next branch of the maintainer's repository (https://github.com/kleikamp/linux-shaggy.git). fs/jfs/jfs_dtree.c | 13 +++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 9ab3f2fc61d1..a1b2c3d4e5f6 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -2902,7 +2902,7 @@ int jfs_readdir(struct file *file, struct dir_context= *ctx) stbl =3D DT_GETSTBL(p); =20 for (i =3D index; i < p->header.nextindex; i++) { - if (stbl[i] < 0) { + if (stbl[i] < 0 || (bn =3D=3D 0 && stbl[i] > DTROOTMAXSLOT)) { jfs_err("JFS: Invalid stbl[%d] =3D %d for inode %ld, block =3D %lld", i, stbl[i], (long)ip->i_ino, (long long)bn); free_page(dirent_buf); @@ -2970,6 +2970,11 @@ int jfs_readdir(struct file *file, struct dir_contex= t *ctx) /* copy name in the additional segment(s) */ next =3D d->next; while (next >=3D 0) { + if (bn =3D=3D 0 && next > DTROOTMAXSLOT) { + jfs_err("JFS: Invalid next %d for inode %ld, block =3D %lld", + next, (long)ip->i_ino, (long long)bn); + goto skip_one; + } t =3D (struct dtslot *) & p->slot[next]; name_ptr +=3D outlen; d_namleft -=3D len; --=20 2.34.1