| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Feb 2023 21:44:39 +0000
From: Sanan Hasanov <sanan.hasanov@...ghts.ucf.edu>
To: "jaegeuk@...nel.org" <jaegeuk@...nel.org>,
"chao@...nel.org" <chao@...nel.org>,
"terrelln@...com" <terrelln@...com>,
"linux-f2fs-devel@...ts.sourceforge.net"
<linux-f2fs-devel@...ts.sourceforge.net>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
"contact@...zz.com" <contact@...zz.com>
Subject: UBSAN: array-index-out-of-bounds in f2fs_iget
Good day, dear maintainers,
We found a bug using a modified kernel configuration file used by syzbot.
We enhanced the coverage of the configuration file using our tool, klocalizer.
Kernel Branch: 6.2.0-rc7-next-20230206
Kernel config: https://drive.google.com/file/d/16AAzfA1DqiaTS8ohH7X80kud8QTCKBB6/view?usp=share_link
C Reproducer: https://drive.google.com/file/d/1mWS9BHAKuQcf9R1BiMX17-h9GQ9OI_v9/view?usp=share_link
Thank you!
Best regards,
Sanan Hasanov
================================================================================
UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3272:29
index 1409 is out of range for type '__le32 [923]'
CPU: 6 PID: 27613 Comm: syz-executor.5 Not tainted 6.2.0-rc7-next-20230206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
inline_data_addr fs/f2fs/f2fs.h:3272 [inline]
__recover_inline_status fs/f2fs/inode.c:111 [inline]
do_read_inode fs/f2fs/inode.c:418 [inline]
f2fs_iget+0x5300/0x5620 fs/f2fs/inode.c:536
f2fs_fill_super+0x3c09/0x8a10 fs/f2fs/super.c:4363
mount_bdev+0x351/0x410 fs/super.c:1372
legacy_get_tree+0x109/0x220 fs/fs_context.c:610
vfs_get_tree+0x8d/0x350 fs/super.c:1502
do_new_mount fs/namespace.c:3042 [inline]
path_mount+0x675/0x1e30 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3571
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7c3449176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c35569a08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f7c3449176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f7c35569a60
RBP: 00007f7c35569aa0 R08: 00007f7c35569aa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f7c35569a60 R15: 0000000020011c40
</TASK>
================================================================================
F2FS-fs (loop5): sanity_check_inode: inode (ino=3) is with extra_attr, but extra_attr feature is off
F2FS-fs (loop5): Failed to read root inode
Powered by blists - more mailing lists