CVE-2022-50567
Description
In the Linux kernel, the following vulnerability has been resolved:
fs: jfs: fix shift-out-of-bounds in dbAllocAG
Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The underlying bug is the missing check of bmp->db_agl2size. The field can be greater than 64 and trigger the shift-out-of-bounds.
Fix this bug by adding a check of bmp->db_agl2size in dbMount since this field is used in many following functions. The upper bound for this field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp. Note that, for maintenance, I reorganized error handling code of dbMount.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing validation of bmp->db_agl2size in JFS filesystem code allows a local attacker to trigger a shift-out-of-bounds crash via a crafted filesystem image.
Vulnerability
Overview
CVE-2022-50567 is a shift-out-of-bounds bug in the Linux kernel's JFS (Journaled File System) implementation. The vulnerability resides in the dbAllocAG function, where the field bmp->db_agl2size is used in a shift operation without prior validation. Since this field can be greater than 64, the shift triggers undefined behavior, causing a UBSAN (Undefined Behavior Sanitizer) crash [1][2][3][4].
Exploitation
Conditions
An attacker can exploit this vulnerability by mounting a specially crafted JFS filesystem image. No authentication or special privileges are required beyond the ability to mount a filesystem, making this a low-complexity attack vector in environments where untrusted filesystems may be presented (e.g., via USB drives or network mounts).
Impact
Successful exploitation results in a kernel crash (denial of service). The UBSAN report indicates a shift-out-of-bounds, which can halt system operations. No privilege escalation or data corruption has been documented, but the system becomes unavailable until rebooted.
Mitigation
The Linux kernel maintainers have addressed the issue by adding a check for bmp->db_agl2size in the dbMount function, as this field is used in many subsequent operations. The upper bound was set to L2MAXL2SIZE - L2MAXAG, thanks to Dave Kleikamp's assistance. Patches have been merged into stable kernel branches as commits [1][2][3][4]. Users should apply the relevant update to their kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
9d3b486946a4e3115313cf031eea87acb6027359616ce587e3e997e4ce8ae0536f76a2bca2c575c8905f767973caae78e898f70669568Vulnerability mechanics
Root cause
"Missing input validation of the `bmp->db_agl2size` field in the JFS filesystem allows for a shift-out-of-bounds error."
Attack vector
An attacker can trigger this vulnerability by providing a crafted JFS filesystem that contains an invalid `db_agl2size` value. When the filesystem is mounted, the `dbMount` function fails to validate this field, allowing it to be used in subsequent operations such as `dbAllocAG`. This results in a shift-out-of-bounds error, which can lead to a kernel crash [patch_id=1823].
Affected code
The vulnerability is located in the JFS filesystem implementation within the Linux kernel, specifically affecting the `dbAllocAG` function. The issue stems from an unvalidated `bmp->db_agl2size` field, which is used in shift operations. The fix involves adding a validation check in `dbMount` to ensure this field remains within safe bounds [patch_id=1823].
What the fix does
The fix introduces a validation check for `bmp->db_agl2size` during the `dbMount` process, ensuring the value does not exceed the defined upper bound of `L2MAXL2SIZE - L2MAXAG`. By validating this field early, the kernel prevents the subsequent use of an out-of-bounds value in shift operations within `dbAllocAG`. Additionally, the error handling code in `dbMount` was reorganized to accommodate this new check [patch_id=1823].
Preconditions
- configThe system must be capable of mounting a JFS filesystem.
- inputThe attacker must be able to provide a malicious or corrupted JFS filesystem image to be mounted by the kernel.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- git.kernel.org/stable/c/0536f76a2bca83d1a3740517ba22cc93a44b3099nvd
- git.kernel.org/stable/c/2c575c8905f7a8b32d5611b91856b69bac2a5bf1nvd
- git.kernel.org/stable/c/3115313cf03113e87c87adee18ee49a20bbdb9banvd
- git.kernel.org/stable/c/359616ce587e524107730504891afa4b1a8be58cnvd
- git.kernel.org/stable/c/3e997e4ce8ae7ab89d72334120f6aee49c5bbdbdnvd
- git.kernel.org/stable/c/67973caae78e21ee46a7281aaa8ca364eb9c444fnvd
- git.kernel.org/stable/c/898f706695682b9954f280d95e49fa86ffa55d08nvd
- git.kernel.org/stable/c/d3b486946a4e62c7ef6023f7d9c1d049051384banvd
- git.kernel.org/stable/c/eea87acb6027be3dd4d3c57186bb22800d57fddanvd
News mentions
0No linked articles in our index yet.