From nobody Mon Feb 9 21:21:47 2026 Received: from mail.crpt.ru (mail.crpt.ru [91.236.205.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E0BF224FA for ; Mon, 9 Feb 2026 03:16:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.236.205.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770607004; cv=none; b=DTO8IVKAA0UETHgv/X7GoNzfh1F+UGl+hFtg7skPVe0B89vpSBbGBpvKNWeSQwVpI/q3ROwhSVemvdcOp/5pNLazTcYs+ikRwBwWTZQwTuq/AcfKdslhpUbn3ZvlRpIGwETZY9bL2hoFjcDWfjtqUjRO5I/aHOU8wv3xviXPb+0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770607004; c=relaxed/simple; bh=NSwlUEUMKe29nJvlZQXpRBhKDg3tEuN3NOvovdkXvjY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=FABZ4WJOpmvVo1f/raLJk/3Gkef9GxRQSkxhj4eoeo81Qf4RH3my2xd0AlqwRecCywIm4FvDvWjtNWVg9Nnm+//m9E7mKEAmdd/roA8Ccq4kH42ZU9oATe24NzYPVClpzQ9wMcgHmjy0AY5PeyJuxKGIoTdT3q4mlQ2E3zY4hSQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=crpt.ru; spf=pass smtp.mailfrom=crpt.ru; dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru header.b=DzHHZwnk; arc=none smtp.client-ip=91.236.205.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=crpt.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=crpt.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=crpt.ru header.i=@crpt.ru header.b="DzHHZwnk" Received: from ssp-soft.crpt.local ([10.200.60.21]) (user=ssp.nesin@crpt.ru mech=LOGIN bits=0) by mail.crpt.ru with ESMTPSA id 6193FdK3030258-6193FdK6030258 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 9 Feb 2026 06:15:52 +0300 From: Rostislav Nesin To: Dave Kleikamp Cc: Rostislav Nesin , Roman Smirnov , Zheng Yu , Aditya Dutt , jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, syzbot+8fe3b9efc02bf2d0b458@syzkaller.appspotmail.com Subject: [PATCH v2] jfs: fix out-of-bounds access in jfs_readdir Date: Mon, 9 Feb 2026 10:15:37 +0700 Message-Id: <20260209031537.391370-1-ssp.nesin@crpt.ru> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FEAS-Auth-User: ssp.nesin@crpt.ru X-FEAS-BEC-Info: WlpIGw0aAQkEARIJHAEHBlJSCRoLAAEeDUhZUEhYSFhIWUhZXkguLVxYWC48UVlRWFhYWVxaSFlfSBsbGEYGDRsBBigLGhgcRhodSFlIWV9IGxsYRgYNGwEGKAsaGBxGGh1IWUhZSFlaSFlYRlpYWEZeWEZaWUhQSFhIWEhRSFhIWEhYSFpaSAwdHBwJDAEcEQlZUCgPBQkBBEYLBwVIWEhbXkgCDhtFDAEbCx0bGwEHBigEARscG0YbBx0aCw0OBxoPDUYGDRxIWEhaUEgEAQYdEEUDDRoGDQQoHg8NGkYDDRoGDQRGBxoPSFhIWlBIBB4LRRgaBwINCxwoBAEGHRAcDRscAQYPRgcaD0hYSFleSBpGGwUBGgYHHigHBRhGGh1IWEhZX0gbAAkPDxEoAw0aBg0ERgcaD0hYSFlfSBsbGEYGDRsBBigLGhgcRhodSFlIXVtIGxESCgccQ1AODVsKUQ0OC1haCg5aDFgKXF1QKBsREgMJBAQNGkYJGBgbGAccBQkBBEYLBwVIWEhaXUgSAA0GD0YRHSgGBxocAB8NGxwNGgZGDQwdSFg= X-FEAS-Client-IP: 10.200.60.21 X-FE-Envelope-From: ssp.nesin@crpt.ru X-FE-Policy-ID: 0:9:0:SYSTEM DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=crpt.ru; s=crpt.ru; c=relaxed/relaxed; h=from:to:cc:subject:date:message-id:mime-version; bh=NevqE2owSbkMqardB5pQPshE8JGXqA8QqGg7K1bedfU=; b=DzHHZwnk+7N11EPIarogCixIoWnaF+eJczpPpywL9PaVh8NHuPEv36GzmnjtM+b2rq6ZXAlHE8xq 5o6C7BtctIeDQU0hioEEbXrwPWJT2E/0aciL3Qn7jKMsJ8/eUz7nFdmh26ASgwNzxEeq77GkTiJa 1NYUmTZF9GdzQkeLLawNScuLkIe3Y6rLlM6M9+HGwoI7Qa8zsZ23O8TAdV2GbuO7irm57QBLiK0P RAsDUiRFd9g6te4H3z9AXKZLcZ2FTr12KCAiQ+imYQ2lDijDMNLyuWc95xHCgSXyI5dGAmB/omgj Ltm5Np5FnoYQ+AC33NhPfqojFrYwuVai+nvHdg== Content-Type: text/plain; charset="utf-8" In jfs_readdir(), the stbl slot index validation uses a maximum value of DTPAGEMAXSLOT (128). However, for root directory pages (bn =3D=3D 0) the maximum valid slot index is DTROOTMAXSLOT (9), not DTPAGEMAXSLOT (128). This allows slot indices 9-127 to pass validation on root pages, leading to out-of-bounds access when reading from p->slot[]. Similarly, the 'next' slot index in the directory entry name segment chain is not validated. The 'next' field in struct ldtentry and struct dtslot is read directly from disk (s8 next), and a corrupted filesystem image could contain any value, causing out-of-bounds access when following the segment chain via p->slot[next]. BUG: KASAN: slab-out-of-bounds in jfs_strfromUCS_le+0x28d/0x3b0 fs/jfs/jfs_= unicode.c:40 Read of size 2 at addr ffff88807a187f72 by task syz.0.6/5913 CPU: 1 UID: 0 PID: 5913 Comm: syz.0.6 Not tainted 6.13.0-rc5-syzkaller-0001= 2-g0bc21e701a6f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 jfs_strfromUCS_le+0x28d/0x3b0 fs/jfs/jfs_unicode.c:40 jfs_readdir+0x199d/0x3c50 fs/jfs/jfs_dtree.c:2975 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65 iterate_dir+0x571/0x800 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:403 [inline] __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by validating stbl[i] and next against DTROOTMAXSLOT for root directory pages (bn =3D=3D 0). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8fe3b9efc02bf2d0b458@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D8fe3b9efc02bf2d0b458 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Rostislav Nesin --- This patch is prepared on top of the jfs-next branch of the maintainer's repository (https://github.com/kleikamp/linux-shaggy.git). v2: - Fix comparison operator fs/jfs/jfs_dtree.c | 13 +++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 9ab3f2fc61d1..a1b2c3d4e5f6 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -2902,7 +2902,7 @@ int jfs_readdir(struct file *file, struct dir_context= *ctx) stbl =3D DT_GETSTBL(p); =20 for (i =3D index; i < p->header.nextindex; i++) { - if (stbl[i] < 0) { + if (stbl[i] < 0 || (bn =3D=3D 0 && stbl[i] >=3D DTROOTMAXSLOT)) { jfs_err("JFS: Invalid stbl[%d] =3D %d for inode %ld, block =3D %lld", i, stbl[i], (long)ip->i_ino, (long long)bn); free_page(dirent_buf); @@ -2970,6 +2970,11 @@ int jfs_readdir(struct file *file, struct dir_contex= t *ctx) /* copy name in the additional segment(s) */ next =3D d->next; while (next >=3D 0) { + if (bn =3D=3D 0 && next >=3D DTROOTMAXSLOT) { + jfs_err("JFS: Invalid next %d for inode %ld, block =3D %lld", + next, (long)ip->i_ino, (long long)bn); + goto skip_one; + } t =3D (struct dtslot *) & p->slot[next]; name_ptr +=3D outlen; d_namleft -=3D len; --=20 2.34.1