fs: jfs: fix shift-out-of-bounds in dbDiscardAG

This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.

Signed-off-by: Hoi Pok Wu <[email protected]>
Signed-off-by: Dave Kleikamp <[email protected]>

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index e1cbfbb603034160dbf5d93e0754df38dd00dbcb..765838578a722ca034b151f9ce6596123422752f 100644 (file)
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -198,6 +198,11 @@ int dbMount(struct inode *ipbmap)
                goto err_release_metapage;
        }
 
+       if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
+               err = -EINVAL;
+               goto err_release_metapage;
+       }
+
        for (i = 0; i < MAXAG; i++)
                bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
        bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);