lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e8c8ef27-1f09-40b5-e5e4-facfcc9956dd@oracle.com>
Date:   Fri, 13 Nov 2020 15:16:02 -0600
From:   Dave Kleikamp <dave.kleikamp@...cle.com>
To:     butt3rflyh4ck <butterflyhuangxx@...il.com>
Cc:     jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: UBSAN: array-index-out-of-bounds in dbAdjTree

On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> kernel fuzz.
> 
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
> 
> and can reproduce.
> 
> the dmtree_t is that
> typedef union dmtree {
> struct dmaptree t1;
> struct dmapctl t2;
> } dmtree_t;
> 
> the dmaptree is that
> struct dmaptree {
> __le32 nleafs; /* 4: number of tree leafs */
> __le32 l2nleafs; /* 4: l2 number of tree leafs */
> __le32 leafidx; /* 4: index of first tree leaf */
> __le32 height; /* 4: height of the tree */
> s8 budmin; /* 1: min l2 tree leaf value to combine */
> s8 stree[TREESIZE]; /* TREESIZE: tree */
> u8 pad[2]; /* 2: pad to word boundary */
> };
> the TREESIZE is totally 341, but the leafidx type is __le32.

Does this patch fix the problem?

jfs: Fix array index bounds check in dbAdjTree

Bounds checking tools can flag a bug in dbAdjTree() for an array index
out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
both structures dmaptree and dmapctl, use the larger array to eliminate
the false positive.

Signed-off-by: Dave Kleikamp <dave.kleikamp@...cle.com>
---
 fs/jfs/jfs_dmap.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index 29891fad3f09..aa03a904d5ab 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -183,7 +183,7 @@ typedef union dmtree {
 #define	dmt_leafidx	t1.leafidx
 #define	dmt_height	t1.height
 #define	dmt_budmin	t1.budmin
-#define	dmt_stree	t1.stree
+#define	dmt_stree	t2.stree
 
 /*
  *	on-disk aggregate disk allocation map descriptor.
-- 
2.29.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ