CVE-2025-38230

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: validate AG parameters in dbMount() to prevent crashes<br /> <br /> Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch<br /> corrupted metadata early and avoid undefined behavior in dbAllocAG.<br /> Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE:<br /> <br /> - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift<br /> (L2LPERCTL - 2*agheight) &gt;= 0.<br /> - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight))<br /> ensures agperlev &gt;= 1.<br /> - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5).<br /> - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG;<br /> 2^(10 - 2*agheight) prevents division to 0.<br /> - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within<br /> stree (size 1365).<br /> - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8).<br /> <br /> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9<br /> shift exponent -335544310 is negative<br /> CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> ubsan_epilogue lib/ubsan.c:231 [inline]<br /> __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468<br /> dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400<br /> dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613<br /> jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105<br /> jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:906 [inline]<br /> __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.