fs/jfs: Add check for negative db_l2nbperpage

juntongdeng · kleikamp · commit 525b861a0081 · 2023-10-03T18:26:59.000-05:00
l2nbperpage is log2(number of blks per page), and the minimum legal value should be 0, not negative. In the case of l2nbperpage being negative, an error will occur when subsequently used as shift exponent. Syzbot reported this bug: UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12 shift exponent -16777216 is negative Reported-by: syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=debee9ab7ae2b34b0307 Signed-off-by: Juntong Deng <juntong.deng@outlook.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
@@ -180,7 +180,8 @@ int dbMount(struct inode *ipbmap)
 	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
 
 	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
-	if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
+	if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE ||
+		bmp->db_l2nbperpage < 0) {
 		err = -EINVAL;
 		goto err_release_metapage;
 	}

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,8 @@ int dbMount(struct inode *ipbmap)`
`180`	`180`	`bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);`
`181`	`181`
`182`	`182`	`bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);`
`183`		`- if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {`
	`183`	`+ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE \|\|`
	`184`	`+ bmp->db_l2nbperpage < 0) {`
`184`	`185`	`err = -EINVAL;`
`185`	`186`	`goto err_release_metapage;`
`186`	`187`	`}`