From: Liu Shixin via Jfs-discussion Date: Thu, 3 Nov 2022 03:01:59 +0000 (+0800) Subject: fs/jfs: fix shift exponent db_agl2size negative X-Git-Tag: v6.6.17~5393^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fad376fce0af58deebc5075b8539dc05bf639af3;p=platform%2Fkernel%2Flinux-rpi.git fs/jfs: fix shift exponent db_agl2size negative As a shift exponent, db_agl2size can not be less than 0. Add the missing check to fix the shift-out-of-bounds bug reported by syzkaller: UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2227:15 shift exponent -744642816 is negative Reported-by: syzbot+0be96567042453c0c820@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Liu Shixin Signed-off-by: Dave Kleikamp --- diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 7658385..a3eb1e8 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -193,7 +193,8 @@ int dbMount(struct inode *ipbmap) bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); - if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { + if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || + bmp->db_agl2size < 0) { err = -EINVAL; goto err_release_metapage; }