5.5

CVE-2025-37858

fs/jfs: Prevent integer overflow in AG size calculation

In the Linux kernel, the following vulnerability has been resolved:

fs/jfs: Prevent integer overflow in AG size calculation

The JFS filesystem calculates allocation group (AG) size using 1 <<
l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
aggregates on 32-bit systems), this 32-bit shift operation causes undefined
behavior and improper AG sizing.

On 32-bit architectures:
- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
- This creates invalid AG sizes (0 or garbage values) in
sbi->bmap->db_agsize
- Subsequent block allocations would reference invalid AG structures
- Could lead to:
  - Filesystem corruption during extend operations
  - Kernel crashes due to invalid memory accesses
  - Security vulnerabilities via malformed on-disk structures

Fix by casting to s64 before shifting:
bmp->db_agsize = (s64)1 << l2agsize;

This ensures 64-bit arithmetic even on 32-bit architectures. The cast
matches the data type of db_agsize (s64) and follows similar patterns in
JFS block calculation code.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 5.4.293
LinuxLinux Kernel Version >= 5.5 < 5.10.237
LinuxLinux Kernel Version >= 5.11 < 5.15.181
LinuxLinux Kernel Version >= 5.16 < 6.1.135
LinuxLinux Kernel Version >= 6.2 < 6.6.88
LinuxLinux Kernel Version >= 6.7 < 6.12.24
LinuxLinux Kernel Version >= 6.13 < 6.13.12
LinuxLinux Kernel Version >= 6.14 < 6.14.3
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.167
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://git.kernel.org/stable/c/dd07a985e2ded47b6c7d69fc93c1fe02977c8454
Patch
https://git.kernel.org/stable/c/8bb29629a5e4090e1ef7199cb42db04a52802239
Patch
https://git.kernel.org/stable/c/3d8a45f87010a802aa214bf39702ca9d99cbf3ba
Patch
https://git.kernel.org/stable/c/55edbf5dbf60a8195c21e92124c4028939ae16b2
Patch
https://git.kernel.org/stable/c/7ccf3b35274512b60ecb614e0637e76bd6f2d829
Patch
https://git.kernel.org/stable/c/c802a6a4009f585111f903e810b3be9c6d0da329
Patch
https://git.kernel.org/stable/c/211ed8f5e39e61f9e4d18edd64ce8005a67a1b2a
Patch
https://git.kernel.org/stable/c/ec34cdf4f917cc6abd306cf091f8b8361fedac88
Patch
https://git.kernel.org/stable/c/7fcbf789629cdb9fbf4e2172ce31136cfed11e5e
Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
Third Party Advisory
Mailing List