CVE-2022-50567

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs: jfs: fix shift-out-of-bounds in dbAllocAG

Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The underlying bug is the missing check of bmp->db_agl2size. The field can be greater than 64 and trigger the shift-out-of-bounds.

Fix this bug by adding a check of bmp->db_agl2size in dbMount since this field is used in many following functions. The upper bound for this field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp. Note that, for maintenance, I reorganized error handling code of dbMount.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d3b486946a4e62c7ef6023f7d9c1d049051384baaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3115313cf03113e87c87adee18ee49a20bbdb9baaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < eea87acb6027be3dd4d3c57186bb22800d57fddaaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 359616ce587e524107730504891afa4b1a8be58caffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3e997e4ce8ae7ab89d72334120f6aee49c5bbdbdaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0536f76a2bca83d1a3740517ba22cc93a44b3099affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2c575c8905f7a8b32d5611b91856b69bac2a5bf1affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 67973caae78e21ee46a7281aaa8ca364eb9c444faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 898f706695682b9954f280d95e49fa86ffa55d08affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux4.9.337 <= 4.9.*unaffected
LinuxLinux4.14.303 <= 4.14.*unaffected
LinuxLinux4.19.270 <= 4.19.*unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References