| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Apr 2024 02:22:40 +0900
From: Jeongjun Park <aha310510@...il.com>
To: shaggy@...nel.org,
syzbot+241c815bda521982cb49@...kaller.appspotmail.com
Cc: brauner@...nel.org,
jlayton@...nel.org,
eadavis@...com,
jfs-discussion@...ts.sourceforge.net,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
Jeongjun Park <aha310510@...il.com>
Subject: [PATCH] jfs: Fix array-index-out-of-bounds in diFree
[syzbot report]
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:886:2
index 524288 is out of range for type 'struct mutex[128]'
CPU: 0 PID: 113 Comm: jfsCommit Not tainted 6.9.0-rc5-syzkaller-00036-g9d1ddab261f3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
diFree+0x21c3/0x2fb0 fs/jfs/jfs_imap.c:886
jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
evict+0x2a8/0x630 fs/inode.c:667
txUpdateMap+0x829/0x9f0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x49a/0xb80 fs/jfs/jfs_txnmgr.c:2733
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 113 Comm: jfsCommit Not tainted 6.9.0-rc5-syzkaller-00036-g9d1ddab261f3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
panic+0x349/0x860 kernel/panic.c:348
check_panic_on_warn+0x86/0xb0 kernel/panic.c:241
ubsan_epilogue lib/ubsan.c:236 [inline]
__ubsan_handle_out_of_bounds+0x141/0x150 lib/ubsan.c:429
diFree+0x21c3/0x2fb0 fs/jfs/jfs_imap.c:886
jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
evict+0x2a8/0x630 fs/inode.c:667
txUpdateMap+0x829/0x9f0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x49a/0xb80 fs/jfs/jfs_txnmgr.c:2733
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
===========================================================
Due to overflow, a value that is too large is entered into the agno
value. Therefore, we need to add code to check the agno value.
Reported-by: syzbot+241c815bda521982cb49@...kaller.appspotmail.com
Signed-off-by: Jeongjun Park <aha310510@...il.com>
---
fs/jfs/jfs_imap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 2ec35889ad24..0aac083bc0db 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -881,6 +881,11 @@ int diFree(struct inode *ip)
*/
agno = BLKTOAG(JFS_IP(ip)->agstart, JFS_SBI(ip->i_sb));
+ if(agno >= MAXAG || agno < 0){
+ jfs_error(ip->i_sb, "invalid array index (0 <= agno < MAXAG), agno = %d\n", agno);
+ return -ENOMEM;
+ }
+
/* Lock the AG specific inode map information
*/
AG_LOCK(imap, agno);
--
2.34.1
Powered by blists - more mailing lists