| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3bc70da4-efa0-462b-8dbf-0569fc2c0275@oracle.com>
Date: Tue, 20 Jun 2023 15:24:59 -0500
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: anupsharma <anupnewsmail@...il.com>, r33s3n6@...il.com,
mudongliangabcd@...il.com, liushixin2@...wei.com,
wuhoipok@...il.com
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
skhan@...uxfoundation.org
Subject: Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
I want to apologize about this one. Recently, Siddh Raman Pant submitted
a similar patch and I picked that one up. I'm sorry that I let yours get
buried in my inbox, since it was submitted earlier.
I actually prefer his patch since it caught it earlier during mount
time, but that's no excuse to not give you a more timely response.
Thanks,
Shaggy
On 4/14/23 8:53AM, anupsharma wrote:
> Syzkaller reported the following issue:
> option from the mount to silence this warning.
> =======================================================
> find_entry called with index = 0
> read_mapping_page failed!
> ERROR: (device loop0): txCommit:
> ERROR: (device loop0): remounting filesystem as read-only
> ================================================================================
> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
> shift exponent 134217736 is too large for 64-bit type 'long long'
> CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> ubsan_epilogue lib/ubsan.c:217 [inline]
> __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
> dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
> txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
> xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
> jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
> jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
> evict+0x2a4/0x620 fs/inode.c:665
> __dentry_kill+0x436/0x650 fs/dcache.c:607
> shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
> shrink_dcache_parent+0xcd/0x480
> do_one_tree+0x23/0xe0 fs/dcache.c:1682
> shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
> generic_shutdown_super+0x67/0x340 fs/super.c:472
> kill_block_super+0x7e/0xe0 fs/super.c:1398
> deactivate_locked_super+0xa4/0x110 fs/super.c:331
> cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
> task_work_run+0x24a/0x300 kernel/task_work.c:179
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0x68f/0x2290 kernel/exit.c:869
> do_group_exit+0x206/0x2c0 kernel/exit.c:1019
> __do_sys_exit_group kernel/exit.c:1030 [inline]
> __se_sys_exit_group kernel/exit.c:1028 [inline]
> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa87e2289b9
> Code: Unable to access opcode bytes at 0x7fa87e22898f.
> RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
> R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> ================================================================================
>
> db_l2nbperpage which is used as a shift exponent to get the buffer
> for the current dmap will be less than and equal to 64.
>
> Tested via syzbot.
>
> Reported-by: syzbot+d2cd27dcf8e04b232eb2@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
>
> Signed-off-by: Anup Sharma <anupnewsmail@...il.com>
> ---
> fs/jfs/jfs_dmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..d2cf56dd8f91 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
> err = -EINVAL;
> goto err_release_metapage;
> }
> -
> + if (bmp->db_l2nbperpage >= 64) {
> + err = -EINVAL;
> + goto err_release_metapage;
> + }
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
Powered by blists - more mailing lists