| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jan 2021 03:57:35 +0800
From: butt3rflyh4ck <butterflyhuangxx@...il.com>
To: Dave Kleikamp <dave.kleikamp@...cle.com>
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: UBSAN: array-index-out-of-bounds in dbAdjTree
This was assigned CVE-2020-27815 via redhat.
Regards.
butt3rflyh4ck.
On Fri, Nov 20, 2020 at 11:01 PM Dave Kleikamp <dave.kleikamp@...cle.com> wrote:
>
> On 11/20/20 3:52 AM, butt3rflyh4ck wrote:
> > You are welcome and have you submitted the patch to linux upstream ?
> > If you have no time do that and I can do it.
>
> Yes, it's in linux-next now. I'll push it to upstream in the v5.11 window.
>
> Shaggy
>
> >
> > Regard,
> > butt3rflyh4ck.
> >
> > On Sun, Nov 15, 2020 at 12:17 AM Dave Kleikamp <dave.kleikamp@...cle.com> wrote:
> >>
> >> Thanks for reporting and testing this!
> >>
> >> Shaggy
> >>
> >> On 11/14/20 7:55 AM, butt3rflyh4ck wrote:
> >>> Yes, I have tested the patch, it seem to fix the problem.
> >>>
> >>> Regard,
> >>> butt3rflyh4ck.
> >>>
> >>> On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp <dave.kleikamp@...cle.com> wrote:
> >>>>
> >>>> On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
> >>>>> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> >>>>> kernel fuzz.
> >>>>>
> >>>>> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
> >>>>>
> >>>>> and can reproduce.
> >>>>>
> >>>>> the dmtree_t is that
> >>>>> typedef union dmtree {
> >>>>> struct dmaptree t1;
> >>>>> struct dmapctl t2;
> >>>>> } dmtree_t;
> >>>>>
> >>>>> the dmaptree is that
> >>>>> struct dmaptree {
> >>>>> __le32 nleafs; /* 4: number of tree leafs */
> >>>>> __le32 l2nleafs; /* 4: l2 number of tree leafs */
> >>>>> __le32 leafidx; /* 4: index of first tree leaf */
> >>>>> __le32 height; /* 4: height of the tree */
> >>>>> s8 budmin; /* 1: min l2 tree leaf value to combine */
> >>>>> s8 stree[TREESIZE]; /* TREESIZE: tree */
> >>>>> u8 pad[2]; /* 2: pad to word boundary */
> >>>>> };
> >>>>> the TREESIZE is totally 341, but the leafidx type is __le32.
> >>>>
> >>>> Does this patch fix the problem?
> >>>>
> >>>> jfs: Fix array index bounds check in dbAdjTree
> >>>>
> >>>> Bounds checking tools can flag a bug in dbAdjTree() for an array index
> >>>> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
> >>>> both structures dmaptree and dmapctl, use the larger array to eliminate
> >>>> the false positive.
> >>>>
> >>>> Signed-off-by: Dave Kleikamp <dave.kleikamp@...cle.com>
> >>>> ---
> >>>> fs/jfs/jfs_dmap.h | 2 +-
> >>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
> >>>> index 29891fad3f09..aa03a904d5ab 100644
> >>>> --- a/fs/jfs/jfs_dmap.h
> >>>> +++ b/fs/jfs/jfs_dmap.h
> >>>> @@ -183,7 +183,7 @@ typedef union dmtree {
> >>>> #define dmt_leafidx t1.leafidx
> >>>> #define dmt_height t1.height
> >>>> #define dmt_budmin t1.budmin
> >>>> -#define dmt_stree t1.stree
> >>>> +#define dmt_stree t2.stree
> >>>>
> >>>> /*
> >>>> * on-disk aggregate disk allocation map descriptor.
> >>>> --
> >>>> 2.29.2
> >>>>
Powered by blists - more mailing lists