CVE-2023-52604

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52604
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52604.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52604
Downstream
Related
Published
2024-03-06T06:45:30.246Z
Modified
2025-11-27T02:32:46.877229Z
Summary
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
Details

In the Linux kernel, the following vulnerability has been resolved:

FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree

Syzkaller reported the following issue:

UBSAN: array-index-out-of-bounds in fs/jfs/jfsdmap.c:2867:6 index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2d0 lib/dumpstack.c:106 ubsanepilogue lib/ubsan.c:217 [inline] _ubsanhandleoutofbounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfsdmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfsdmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfsdmap.c:2331 dbFreeDmap fs/jfs/jfsdmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfsdmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfstxnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfstxnmgr.c:2664 [inline] jfslazycommit+0x47a/0xb70 fs/jfs/jfstxnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 retfromfork+0x48/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:304

</TASK>

Kernel panic - not syncing: UBSAN: paniconwarn set ... CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2d0 lib/dumpstack.c:106 panic+0x30f/0x770 kernel/panic.c:340 checkpaniconwarn+0x82/0xa0 kernel/panic.c:236 ubsanepilogue lib/ubsan.c:223 [inline] _ubsanhandleoutofbounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfsdmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfsdmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfsdmap.c:2331 dbFreeDmap fs/jfs/jfsdmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfsdmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfstxnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfstxnmgr.c:2664 [inline] jfslazycommit+0x47a/0xb70 fs/jfs/jfstxnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 retfromfork+0x48/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds..

The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue.

Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama's patch at use WARNONONCE for lack of a cleaner option.

The patch is tested via syzbot.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2023/52xxx/CVE-2023-52604.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
e3e95c6850661c77e6dab079d9b5374a618ebb15
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
98f9537fe61b8382b3cc5dd97347531698517c56
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
de34de6e57bbbc868e4fcf9e98c76b3587cabb0b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
6fe8b702125aeee6ce83f20092a2341446704e7b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
42f433785f108893de0dd5260bafb85d7d51db03
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
6a44065dd604972ec1fbcccbdc4a70d266a89cdd
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
59342822276f753e49d27ef5eebffbba990572b9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed
9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.307
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.269
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.210
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.149
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.77
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.16
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.4