The loop in __jfs_setxattr() iterates over EA entries without validating
that NEXT_EA(ea) stays within the ealist buffer. A crafted filesystem
image with a manipulated EA valuelen field can cause NEXT_EA() to land
inside the buffer but past the last valid entry, leading to out-of-bounds
reads in the subsequent memcmp() call.

Fix this by adding the same bounds check already present in
__jfs_getxattr() and jfs_listxattr().

Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
---
 fs/jfs/xattr.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index 11d7f74d2..320659bb8 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -688,8 +688,14 @@ int __jfs_setxattr(tid_t tid, struct inode *inode, const char *name,
 	new_size = sizeof (struct jfs_ea_list);
 
 	if (xattr_size) {
-		for (ea = FIRST_EA(ealist); ea < END_EALIST(ealist);
+		struct jfs_ea *ealist_end = END_EALIST(ealist);
+		for (ea = FIRST_EA(ealist); ea < ealist_end;
 		     ea = NEXT_EA(ea)) {
+			if (unlikely(ea + 1 > ealist_end) ||
+			    unlikely(NEXT_EA(ea) > ealist_end)) {
+				rc = -EUCLEAN;
+				goto release;
+			}
 			if ((namelen == ea->namelen) &&
 			    (memcmp(name, ea->name, namelen) == 0)) {
 				found = 1;
-- 
2.43.0