| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Oct 2021 09:23:59 +0800 From: Hao Sun <sunhao.th@...il.com> To: shaggy@...nel.org, jfs-discussion@...ts.sourceforge.net Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: UBSAN: shift-out-of-bounds in extAlloc Hi, This bug can still be triggered repeatedly on the latest Linux. HEAD commit: 519d81956ee2 Linux 5.15-rc6 git tree: upstream console output: kernel config: https://drive.google.com/file/d/12PUnxIM1EPBgW4ZJmI7WJBRaY1lA83an/view?usp=sharing Syzlang reproducer: https://drive.google.com/file/d/1658MoTb5EbxCtbsoI--hNQLab0HogUWf/view?usp=sharing loop13: detected capacity change from 0 to 65534 ================================================================================ UBSAN: shift-out-of-bounds in fs/jfs/jfs_extent.c:511:16 shift exponent -1 is negative CPU: 2 PID: 31142 Comm: syz-executor Not tainted 5.15.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0x76/0x144 lib/ubsan.c:330 extBalloc fs/jfs/jfs_extent.c:511 [inline] extAlloc.cold+0x1a/0x92 fs/jfs/jfs_extent.c:125 jfs_get_block+0x662/0xaa0 fs/jfs/inode.c:257 get_more_blocks fs/direct-io.c:673 [inline] do_direct_IO fs/direct-io.c:959 [inline] do_blockdev_direct_IO+0x129e/0x6ce0 fs/direct-io.c:1276 blockdev_direct_IO include/linux/fs.h:3272 [inline] jfs_direct_IO+0x10a/0x2c0 fs/jfs/inode.c:342 generic_file_direct_write+0x1e3/0x4c0 mm/filemap.c:3672 __generic_file_write_iter+0x2d3/0x640 mm/filemap.c:3854 generic_file_write_iter+0xd7/0x220 mm/filemap.c:3929 call_write_iter include/linux/fs.h:2163 [inline] do_iter_readv_writev+0x47b/0x750 fs/read_write.c:729 do_iter_write fs/read_write.c:855 [inline] do_iter_write+0x18b/0x700 fs/read_write.c:836 vfs_iter_write+0x70/0xa0 fs/read_write.c:896 iter_file_splice_write+0x723/0xbf0 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x110/0x180 fs/splice.c:936 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891 do_splice_direct+0x1b3/0x280 fs/splice.c:979 do_sendfile+0xab6/0x1240 fs/read_write.c:1249 __do_sys_sendfile64 fs/read_write.c:1314 [inline] __se_sys_sendfile64 fs/read_write.c:1300 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1300 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8d8f6f5c4d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d8cc5dc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f8d8f81c0a0 RCX: 00007f8d8f6f5c4d RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000007 RBP: 00007f8d8f76ed80 R08: 0000000000000000 R09: 0000000000000000 R10: 00008400fffffffb R11: 0000000000000246 R12: 00007f8d8f81c0a0 R13: 00007ffea1a878ff R14: 00007ffea1a87aa0 R15: 00007f8d8cc5ddc0 ================================================================================
Powered by blists - more mailing lists