lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 14 May 2024 00:49:50 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: shaggy@...nel.org,
 halip0503@...il.com,
 mirimmad17@...il.com
Cc: jfs-discussion@...ts.sourceforge.net,
 linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com
Subject: UBSAN: shift-out-of-bounds in extAlloc

Hi Kernel Maintainers,

Our tool found a kernel bug UBSAN: shift-out-of-bounds in extAlloc. Please see the details below.

Kenrel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment

We find this bug was reported and marked as fixed. (https://syzkaller.appspot.com/bug?extid=5f088f29593e6b4c8db8)

Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly.

Please let me know for anything I can help.

Best,
Shuangpeng


Download attachment ".config" of type "application/octet-stream" (247338 bytes)

Download attachment "repro.c" of type "application/octet-stream" (124503 bytes)



[   50.191193][ T8049] ------------[ cut here ]------------
[   50.191644][ T8049] UBSAN: shift-out-of-bounds in fs/jfs/jfs_extent.c:319:16
[   50.192192][ T8049] shift exponent 127 is too large for 64-bit type 'long long int'
[   50.192784][ T8049] CPU: 0 PID: 8049 Comm: a.out Not tainted 6.9.0 #7
[   50.193284][ T8049] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   50.193967][ T8049] Call Trace:
[   50.194226][ T8049]  <TASK>
[ 50.194456][ T8049] dump_stack_lvl (lib/dump_stack.c:117) 
[ 50.196667][ T8049] __ubsan_handle_shift_out_of_bounds (lib/ubsan.c:232 lib/ubsan.c:468) 
[ 50.197169][ T8049] ? mutex_lock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4296 /include/linux/atomic/atomic-long.h:1482 /include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) 
[ 50.197516][ T8049] ? __pfx_mutex_lock (kernel/locking/mutex.c:282) 
[ 50.197906][ T8049] ? xas_load (lib/xarray.c:249) 
[ 50.198246][ T8049] extAlloc.cold (fs/jfs/jfs_extent.c:319 fs/jfs/jfs_extent.c:122) 
[ 50.198607][ T8049] ? __pfx_extAlloc (fs/jfs/jfs_extent.c:71) 
[ 50.198981][ T8049] ? __pfx_down_write (kernel/locking/rwsem.c:1577) 
[ 50.199369][ T8049] ? kmem_cache_alloc (./arch/x86/include/asm/jump_label.h:55 /include/linux/memcontrol.h:1839 mm/slub.c:1980 mm/slub.c:3813 mm/slub.c:3851 mm/slub.c:3858) 
[ 50.199768][ T8049] ? __filemap_add_folio (mm/filemap.c:853) 
[ 50.200191][ T8049] jfs_get_block (fs/jfs/inode.c:249) 
[ 50.200562][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.200965][ T8049] ? folio_flags.constprop.0 (./include/linux/page-flags.h:325) 
[ 50.201399][ T8049] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 /include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) 
[ 50.201786][ T8049] __block_write_begin_int (fs/buffer.c:2108) 
[ 50.202223][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.202627][ T8049] ? __pfx___block_write_begin_int (fs/buffer.c:2072) 
[ 50.203099][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.203503][ T8049] block_write_begin (fs/buffer.c:2214) 
[ 50.203895][ T8049] jfs_write_begin (fs/jfs/inode.c:300) 
[ 50.204264][ T8049] generic_perform_write (mm/filemap.c:3976) 
[ 50.204686][ T8049] ? __pfx_generic_perform_write (mm/filemap.c:3938) 
[ 50.205145][ T8049] ? generic_update_time (fs/inode.c:1909) 
[ 50.205553][ T8049] ? mnt_put_write_access_file (fs/namespace.c:494) 
[ 50.206001][ T8049] __generic_file_write_iter (mm/filemap.c:4069) 
[ 50.206439][ T8049] generic_file_write_iter (./include/linux/fs.h:800 mm/filemap.c:4096) 
[ 50.206859][ T8049] ? rw_verify_area (fs/read_write.c:382) 
[ 50.207239][ T8049] vfs_write (fs/read_write.c:498 fs/read_write.c:590) 
[ 50.207583][ T8049] ? __pfx_vfs_write (fs/read_write.c:571) 
[ 50.207965][ T8049] ? __pfx_do_sys_openat2 (fs/open.c:1392) 
[ 50.208381][ T8049] ? __fput (fs/file_table.c:436) 
[ 50.208714][ T8049] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) 
[ 50.209100][ T8049] ksys_write (fs/read_write.c:644) 
[ 50.209448][ T8049] ? __pfx_ksys_write (fs/read_write.c:633) 
[ 50.209838][ T8049] ? fpregs_restore_userregs (./arch/x86/include/asm/bitops.h:75 /include/asm-generic/bitops/instrumented-atomic.h:42 /include/linux/thread_info.h:94 arch/x86/kernel/fpu/context.h:79) 
[ 50.210285][ T8049] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 50.210648][ T8049] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   50.211111][ T8049] RIP: 0033:0x7f265b6f673d
[ 50.211461][ T8049] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d8
All code
========
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	90                   	nop
   d:	f3 0f 1e fa          	endbr64 
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48                   	rex.W		<-- trapping instruction
  2b:	d8                   	.byte 0xd8

Code starting with the faulting instruction
===========================================
   0:	48                   	rex.W
   1:	d8                   	.byte 0xd8
[   50.212919][ T8049] RSP: 002b:00007ffdc75bd478 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   50.213563][ T8049] RAX: ffffffffffffffda RBX: 000055cc22691e90 RCX: 00007f265b6f673d
[   50.214168][ T8049] RDX: 00000000fffffd1a RSI: 0000000020000140 RDI: 0000000000000004
[   50.214772][ T8049] RBP: 00007ffdc75bd490 R08: 00007ffdc75bd580 R09: 00007ffdc75bd580
[   50.215375][ T8049] R10: 0000000000000000 R11: 0000000000000202 R12: 000055cc22690340
[   50.215979][ T8049] R13: 00007ffdc75bd580 R14: 0000000000000000 R15: 0000000000000000
[   50.216588][ T8049]  </TASK>
[   50.217227][ T8049] ---[ end trace ]---
[   50.217543][ T8049] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   50.218087][ T8049] CPU: 0 PID: 8049 Comm: a.out Not tainted 6.9.0 #7
[   50.218591][ T8049] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   50.219272][ T8049] Call Trace:
[   50.219529][ T8049]  <TASK>
[ 50.219760][ T8049] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) 
[ 50.220124][ T8049] panic (kernel/panic.c:348) 
[ 50.220437][ T8049] ? __pfx_panic (kernel/panic.c:282) 
[ 50.220786][ T8049] ? __pfx__printk (kernel/printk/printk.c:2368) 
[ 50.221149][ T8049] ? check_panic_on_warn (kernel/panic.c:240) 
[ 50.221547][ T8049] check_panic_on_warn (kernel/panic.c:241) 
[ 50.221932][ T8049] __ubsan_handle_shift_out_of_bounds (./arch/x86/include/asm/smap.h:56 lib/ubsan.c:470) 
[ 50.222425][ T8049] ? mutex_lock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4296 /include/linux/atomic/atomic-long.h:1482 /include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) 
[ 50.222766][ T8049] ? __pfx_mutex_lock (kernel/locking/mutex.c:282) 
[ 50.223148][ T8049] ? xas_load (lib/xarray.c:249) 
[ 50.223482][ T8049] extAlloc.cold (fs/jfs/jfs_extent.c:319 fs/jfs/jfs_extent.c:122) 
[ 50.223839][ T8049] ? __pfx_extAlloc (fs/jfs/jfs_extent.c:71) 
[ 50.224206][ T8049] ? __pfx_down_write (kernel/locking/rwsem.c:1577) 
[ 50.224594][ T8049] ? kmem_cache_alloc (./arch/x86/include/asm/jump_label.h:55 /include/linux/memcontrol.h:1839 mm/slub.c:1980 mm/slub.c:3813 mm/slub.c:3851 mm/slub.c:3858) 
[ 50.224986][ T8049] ? __filemap_add_folio (mm/filemap.c:853) 
[ 50.225401][ T8049] jfs_get_block (fs/jfs/inode.c:249) 
[ 50.225764][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.226162][ T8049] ? folio_flags.constprop.0 (./include/linux/page-flags.h:325) 
[ 50.226594][ T8049] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 /include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) 
[ 50.226974][ T8049] __block_write_begin_int (fs/buffer.c:2108) 
[ 50.227405][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.227802][ T8049] ? __pfx___block_write_begin_int (fs/buffer.c:2072) 
[ 50.228267][ T8049] ? __pfx_jfs_get_block (fs/jfs/inode.c:201) 
[ 50.228667][ T8049] block_write_begin (fs/buffer.c:2214) 
[ 50.229050][ T8049] jfs_write_begin (fs/jfs/inode.c:300) 
[ 50.229411][ T8049] generic_perform_write (mm/filemap.c:3976) 
[ 50.229823][ T8049] ? __pfx_generic_perform_write (mm/filemap.c:3938) 
[ 50.230274][ T8049] ? generic_update_time (fs/inode.c:1909) 
[ 50.230675][ T8049] ? mnt_put_write_access_file (fs/namespace.c:494) 
[ 50.231115][ T8049] __generic_file_write_iter (mm/filemap.c:4069) 
[ 50.231547][ T8049] generic_file_write_iter (./include/linux/fs.h:800 mm/filemap.c:4096) 
[ 50.231962][ T8049] ? rw_verify_area (fs/read_write.c:382) 
[ 50.232341][ T8049] vfs_write (fs/read_write.c:498 fs/read_write.c:590) 
[ 50.232681][ T8049] ? __pfx_vfs_write (fs/read_write.c:571) 
[ 50.233057][ T8049] ? __pfx_do_sys_openat2 (fs/open.c:1392) 
[ 50.233460][ T8049] ? __fput (fs/file_table.c:436) 
[ 50.233787][ T8049] ? kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350) 
[ 50.234169][ T8049] ksys_write (fs/read_write.c:644) 
[ 50.234512][ T8049] ? __pfx_ksys_write (fs/read_write.c:633) 
[ 50.234896][ T8049] ? fpregs_restore_userregs (./arch/x86/include/asm/bitops.h:75 /include/asm-generic/bitops/instrumented-atomic.h:42 /include/linux/thread_info.h:94 arch/x86/kernel/fpu/context.h:79) 
[ 50.235334][ T8049] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 50.235693][ T8049] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   50.236151][ T8049] RIP: 0033:0x7f265b6f673d
[ 50.236500][ T8049] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d8
All code
========
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	90                   	nop
   d:	f3 0f 1e fa          	endbr64 
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48                   	rex.W		<-- trapping instruction
  2b:	d8                   	.byte 0xd8

Code starting with the faulting instruction
===========================================
   0:	48                   	rex.W
   1:	d8                   	.byte 0xd8
[   50.237935][ T8049] RSP: 002b:00007ffdc75bd478 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   50.238567][ T8049] RAX: ffffffffffffffda RBX: 000055cc22691e90 RCX: 00007f265b6f673d
[   50.239163][ T8049] RDX: 00000000fffffd1a RSI: 0000000020000140 RDI: 0000000000000004
[   50.239762][ T8049] RBP: 00007ffdc75bd490 R08: 00007ffdc75bd580 R09: 00007ffdc75bd580
[   50.240363][ T8049] R10: 0000000000000000 R11: 0000000000000202 R12: 000055cc22690340
[   50.240960][ T8049] R13: 00007ffdc75bd580 R14: 0000000000000000 R15: 0000000000000000
[   50.241558][ T8049]  </TASK>
[   50.241883][ T8049] Kernel Offset: disabled
[   50.242215][ T8049] Rebooting in 86400 seconds..

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ