Re: [PATCH] jfs: fix missing bounds check in __jfs_setxattr()
From: Jori Koolstra
Date: Thu Apr 16 2026 - 06:03:04 EST
On Mon, Apr 13, 2026 at 08:03:28AM -0600, Sebastian Alba Vives wrote:
> The loop in __jfs_setxattr() iterates over EA entries without validating
> that NEXT_EA(ea) stays within the ealist buffer. A crafted filesystem
> image with a manipulated EA valuelen field can cause NEXT_EA() to land
> inside the buffer but past the last valid entry, leading to out-of-bounds
> reads in the subsequent memcmp() call.
>
> Fix this by adding the same bounds check already present in
> __jfs_getxattr() and jfs_listxattr().
>
> Reported-by: Sebastian Alba Vives <sebasjosue84@xxxxxxxxx>
> Signed-off-by: Sebastian Alba Vives <sebasjosue84@xxxxxxxxx>
> ---
> fs/jfs/xattr.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
> index 11d7f74d2..320659bb8 100644
> --- a/fs/jfs/xattr.c
> +++ b/fs/jfs/xattr.c
> @@ -688,8 +688,14 @@ int __jfs_setxattr(tid_t tid, struct inode *inode, const char *name,
> new_size = sizeof (struct jfs_ea_list);
>
> if (xattr_size) {
> - for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist);
> + struct jfs_ea *ealist_end = END_EALIST(ealist);
> + for (ea = FIRST_EA(ealist); ea < ealist_end;
> ea = NEXT_EA(ea)) {
> + if (unlikely(ea + 1 > ealist_end) ||
What use is this check? How can ea + 1 > ealist_end immediately after
ea < ealist_end?
> + unlikely(NEXT_EA(ea) > ealist_end)) {
> + rc = -EUCLEAN;
> + goto release;
> + }
> if ((namelen == ea->namelen) &&
> (memcmp(name, ea->name, namelen) == 0)) {
> found = 1;
> --
> 2.43.0
>
You should also know that jfs is not maintained, and there are MANY
of these issues (see syzbot for instance). To my knowledge the community
has decided to deprioritize these kinds of issues, and perhaps
eventually move to FUSE based implementations for legacy filesystems.
Also, you should cc the general list linux-kernel@xxxxxxxxxxxxxxx and
the jfs maintainer Dave Kleikamp <shaggy@xxxxxxxxxx>. Use the
get_maintainer script.
That being said these fixes are still accepted. Thanks for your (first?)
contribution :)
Thanks,
Jori.