| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Jun 2024 17:53:48 -0400 From: Kent Overstreet <kent.overstreet@...ux.dev> To: Pei Li <peili.dev@...il.com> Cc: Brian Foster <bfoster@...hat.com>, linux-bcachefs@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, skhan@...uxfoundation.org, syzbot+835d255ad6bc7f29ee12@...kaller.appspotmail.com Subject: Re: [PATCH] bcachefs: Fix shift-out-of-bounds in bch2_blacklist_entries_gc On Tue, Jun 25, 2024 at 11:41:29AM -0700, Pei Li wrote: > This series fix the shift-out-of-bounds issue in > bch2_blacklist_entries_gc(). > > Instead of passing 0 to eytzinger0_first() when iterating the entries, > we explicitly check 0 and initialize i to be 0. > > syzbot has tested the proposed patch and the reproducer did not trigger > any issue: > > Reported-and-tested-by: syzbot+835d255ad6bc7f29ee12@...kaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=835d255ad6bc7f29ee12 > Signed-off-by: Pei Li <peili.dev@...il.com> > --- > Syzbot reported the following issue: > UBSAN: shift-out-of-bounds in ./include/linux/log2.h:67:13 > shift exponent 4294967295 is too large for 64-bit type 'long unsigned int' > > This is because 0 is passed to __rounddown_pow_of_two(), and -1 is > returned as an unsigned integer. In 32 bit system, it will become > 4294967295. > > This patch fixes the issue by adding check in > bch2_blacklist_entries_gc() to avoid passing 0 into eytzinger0_first(). > If we found out t->nr equals to 0, we directly use 0 to access the root > of the list. Thanks! Applied
Powered by blists - more mailing lists