From nobody Tue Jun 16 10:10:32 2026
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6BF85D8F0
	for <linux-kernel@vger.kernel.org>; Sat, 18 Apr 2026 13:10:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776517817; cv=none;
 b=lJrRn/2OzyWtH4dFYzz3SqpiJbKqInSr9IGbxGCXIabWxHF2L8mhEypau2ema+5J1QT/yMzneJbAFl7nNiSqJanrBdsVuzVQjJijU+paSWdxK2k1ZmzFIiiv2YFRXzZ9dt/tqn+VwINFHGCw3Pv49EcgCeZMZt4Dt1HOjo38PuQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776517817; c=relaxed/simple;
	bh=iTzBe6WSV3GO0EM3m61lavSwpAiE92+ijRykPgwPfwI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=LwVDReUMEX9EkVcuDVEZH098eqj4yXZE361Ft9lmII9+mCxaWnMpPmqshsLKlxxjD6n/BLhZYaYkr4g0WZq+rSb4l7POUqsZejG9/oCYZWrzkrwwaIiMaKvu7Jj6OGVbKvfIy7Lela5ofxxzfUrratJsMTqZ+Y0akny7qQF7BHs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=qIkoZJHU; arc=none smtp.client-ip=209.85.221.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="qIkoZJHU"
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-43d7e23defbso982431f8f.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 18 Apr 2026 06:10:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776517814; x=1777122614;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=SRL+/w/HyjyHyF7bwjWvQQfLBeYexkHcHDwrDaeyacA=;
        b=qIkoZJHUXHduoeGHxOPWXmbhN0ZH3eB7c9UVcqPPo8ghacqZKKjtuo4MqEXIpu2xWL
         apqUpv3HgSiWNwShNNdpBPch/xS0KLL6jV878I4N+FqqDiD0BA+6yosir/uaGL/hqe+H
         gi65q44q5CFcIncKkEKQ7JvKsLdiQq8mPGy6Rq3n0XyUaiMtxS31xGy7nRHCiWqa1tpW
         SCx1aRLsk44i0V4v5iH8lMeL93t4UG1Zi4PlEknnCJiKAbNdo+PAMqeCFALBVKSuBDQv
         +W2LESE/EF7znvKd/V53YVIFVNzzy17j0Sq7KCc/dtJDUVnlDPvGtrdlKiWzd7C0/zo+
         nmoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776517814; x=1777122614;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SRL+/w/HyjyHyF7bwjWvQQfLBeYexkHcHDwrDaeyacA=;
        b=A2c7fokGkct7RuOkreNiEEd9TJn8ac6CDSgMfF/sBN6nrZZ00d3nXN/9Try2AO8as2
         6G1nlFR/qZ8QNoZ/8H05xSsZjp0EFZ+HnhtYndILdq9Q8n5Xo5LLZFh3Xaeu5Lkspmeg
         2HmDi//epYwlsj0NJOoacc5Tob/iphKl0zAyxAZ2PxfIF6AKRj8kFKVe1uFrr75vjFvV
         kdp0zQdfYUrkYA+ruXF1MvtD+nuztRhYzGj/X4Lccx2fjxc2wP8PcYyoR6MBRNECmJ6+
         o1e/OlbM0z84FYzZMRZ77lcy7+gfqLmi0qkjHMov6+te02YM+0sd1zzXqlMtHT9/hURP
         7uUw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8ouAzF2tIQFl/ZSf+sJGZcut81B67lK2siNLVwqgCIezOCejbf9HpmZ5qYy2vCUzyP5xNzBxJ6dXfQpY8=@vger.kernel.org
X-Gm-Message-State: AOJu0YycGlV4pzUaAFKjiaFnfCrBsG3mzDP5pUu7nO390p9VXcXHPX4L
	QPS9VPyZawLOUTlHy7DgY9dD+EW1sYtHH0JY9vsOTLFbQ/xiONrcr8g=
X-Gm-Gg: AeBDieserevoXG/A7ZdAECTOYT5iiTBnW5Dt2KuQM4KWOFNtvZ1GNKb3AvgvnUD1wmH
	BolRj9Xy7X2ds6ro/uu/vwovwkw21F8aGqP5Fei3nKgxeaDx0sACs2yfGmqJOuFl3pJUMh8QBWF
	BEGLKCGE0SvfL9Wio61WngcpNHbuVfGHRoQlSzPP09Pb+X4GKp4YtnX5d4GF46AOOKOwWUqXdi/
	4OdNyd/5SsCCuyU6ZjtDxYZ4VXZJzmzrbBKP0fRxHij9rckfBs/Ru1XU3IQOZNxoLVot7NuhqAO
	jM/1BNgA9RLyyBMkm+KJXQaotvBKBlGz6vwZjWcN5imkIN7mJNVZ5Lh6z8UoxiliRSKQ6JjwQoi
	b5cYa5uZKumd1XOj/+9lVx/4V3bw3va1LGlBKA5TH2cI7du97MPzoTBum29axXNF5Bd7kY6qQao
	GXKNw=
X-Received: by 2002:a05:6000:2888:b0:439:c299:4d8f with SMTP id
 ffacd0b85a97d-43fe3dc61e3mr10064478f8f.17.1776517814218;
        Sat, 18 Apr 2026 06:10:14 -0700 (PDT)
Received: from debian.. ([2001:41d0:303:db6b::])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43fe4c221cdsm13186288f8f.0.2026.04.18.06.10.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 18 Apr 2026 06:10:13 -0700 (PDT)
From: Tristan Madani <tristmd@gmail.com>
To: shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com
Subject: [PATCH] jfs: validate l2nbperpage in diMount to prevent
 shift-out-of-bounds
Date: Sat, 18 Apr 2026 13:10:12 +0000
Message-ID: <20260418131012.1039172-1-tristmd@gmail.com>
X-Mailer: git-send-email 2.47.3
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tristan Madani <tristan@talencesecurity.com>

diMount() reads l2nbperpage from the disk inode aggregate without
validation. A corrupted filesystem image can set this field to a value
exceeding the bit width of the shift operand in jfs_statfs(), causing
UBSAN shift-out-of-bounds.

Add validation of l2nbperpage against reasonable bounds before using it
in arithmetic operations.

Reported-by: syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Yun Zhou <yun.zhou@windriver.com>
---
 fs/jfs/jfs_imap.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index b84ba4d7dfb44..eafbd2b55df75 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -124,6 +124,18 @@ int diMount(struct inode *ipimap)
 	atomic_set(&imap->im_numfree, le32_to_cpu(dinom_le->in_numfree));
 	imap->im_nbperiext =3D le32_to_cpu(dinom_le->in_nbperiext);
 	imap->im_l2nbperiext =3D le32_to_cpu(dinom_le->in_l2nbperiext);
+
+	if (imap->im_l2nbperiext < 0 ||
+	    imap->im_l2nbperiext > 30 ||
+	    imap->im_nbperiext !=3D (1 << imap->im_l2nbperiext)) {
+		jfs_err("diMount: invalid imap parameters: "
+			"nbperiext(%d) l2nbperiext(%d)",
+			imap->im_nbperiext, imap->im_l2nbperiext);
+		release_metapage(mp);
+		kfree(imap);
+		return -EINVAL;
+	}
+
 	for (index =3D 0; index < MAXAG; index++) {
 		imap->im_agctl[index].inofree =3D
 		    le32_to_cpu(dinom_le->in_agctl[index].inofree);
--=20
2.47.3