CVE-2023-53222 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

jfs: jfs_dmap: Validate db_l2nbperpage while mounting

In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
number inside dbFree(). db_l2nbperpage, which is the log2 number of
blocks per page, is passed as an argument to BLKTODMAP which uses it
for shifting.

Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
too big. This happens because the large value is set without any
validation in dbMount() at line 181.

Thus, make sure that db_l2nbperpage is correct while mounting.

Max number of blocks per page = Page size / Min block size
=> log2(Max num_block per page) = log2(Page size / Min block size)
= log2(Page size) - log2(Min block size)

=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/11509910c599cbd04585ec35a6d5e1a0053d84c1
https://git.kernel.org/stable/c/2a03c4e683d33d17b667418eb717b13dda1fac6b
https://git.kernel.org/stable/c/47b7eaae08e8b2f25bdf37bc14d21be090bcb20f
https://git.kernel.org/stable/c/8c1efe3f74a7864461b0dff281c5562154b4aa8e
https://git.kernel.org/stable/c/a4855aeb13e4ad1f23e16753b68212e180f7d848
https://git.kernel.org/stable/c/c7feb54b113802d2aba98708769d3c33fb017254
https://git.kernel.org/stable/c/de984faecddb900fa850af4df574a25b32bb93f5
https://git.kernel.org/stable/c/ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2

History

Mon, 15 Sep 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: jfs: jfs_dmap: Validate db_l2nbperpage while mounting In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block number inside dbFree(). db_l2nbperpage, which is the log2 number of blocks per page, is passed as an argument to BLKTODMAP which uses it for shifting. Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is too big. This happens because the large value is set without any validation in dbMount() at line 181. Thus, make sure that db_l2nbperpage is correct while mounting. Max number of blocks per page = Page size / Min block size => log2(Max num_block per page) = log2(Page size / Min block size) = log2(Page size) - log2(Min block size) => Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
Title		jfs: jfs_dmap: Validate db_l2nbperpage while mounting
References		https://git.kernel.org/stable/c/11509910c599cbd04585ec35a6d5e1a0053d84c1 https://git.kernel.org/stable/c/2a03c4e683d33d17b667418eb717b13dda1fac6b https://git.kernel.org/stable/c/47b7eaae08e8b2f25bdf37bc14d21be090bcb20f https://git.kernel.org/stable/c/8c1efe3f74a7864461b0dff281c5562154b4aa8e https://git.kernel.org/stable/c/a4855aeb13e4ad1f23e16753b68212e180f7d848 https://git.kernel.org/stable/c/c7feb54b113802d2aba98708769d3c33fb017254 https://git.kernel.org/stable/c/de984faecddb900fa850af4df574a25b32bb93f5 https://git.kernel.org/stable/c/ef5c205b6e6f8d1f18ef0b4a9832b1b5fa85f7f2

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-09-15T14:21:50.970Z

Updated: 2025-09-15T14:21:50.970Z

Reserved: 2025-09-15T14:19:21.845Z

Link: CVE-2023-53222

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-09-15T15:15:48.983

Modified: 2025-09-15T15:22:27.090

Link: CVE-2023-53222

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object