lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cbd30b80-d213-4997-b447-10e455f20196@suse.com>
Date: Sun, 18 Aug 2024 19:43:45 +0800
From: Heming Zhao <heming.zhao@...e.com>
To: qasdev <qasdev00@...il.com>, mark@...heh.com, jlbec@...lplan.org,
 joseph.qi@...ux.alibaba.com
Cc: ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ocfs2: Fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()

On 8/16/24 21:41, qasdev wrote:
>  From ad1ca2fd2ecf4eb7ec2c76fcbbf34639f0ad87ca Mon Sep 17 00:00:00 2001
> From: Qasim Ijaz <qasdev00@...il.com>
> Date: Fri, 16 Aug 2024 02:30:25 +0100
> Subject: [PATCH] ocfs2: Fix shift-out-of-bounds UBSAN bug in
>   ocfs2_verify_volume()
> 
> This patch addresses a shift-out-of-bounds error in the
> ocfs2_verify_volume() function, identified by UBSAN. The bug was triggered
> by an invalid s_clustersize_bits value (e.g., 1548), which caused the
> expression "1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)"
> to exceed the limits of a 32-bit integer,
> leading to an out-of-bounds shift.
> 
> Reported-by: syzbot <syzbot+f3fff775402751ebb471@...kaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
> Tested-by: syzbot <syzbot+f3fff775402751ebb471@...kaller.appspotmail.com>
> Signed-off-by: Qasim Ijaz <qasdev00@...il.com>
> ---
>   fs/ocfs2/super.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
> index afee70125ae3..1e43cdca7f40 100644
> --- a/fs/ocfs2/super.c
> +++ b/fs/ocfs2/super.c
> @@ -2357,8 +2357,12 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
>   			     (unsigned long long)bh->b_blocknr);
>   		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
>   			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
> -			mlog(ML_ERROR, "bad cluster size found: %u\n",
> -			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> +			if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 32)
> +				mlog(ML_ERROR, "bad cluster size found: %u\n",
> +				     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> +			else
> +				mlog(ML_ERROR, "invalid cluster size bit value: %u\n",
> +				     le32_to_cpu(di->id2.i_super.s_clustersize_bits));

I prefer to use concise code to fix the error.
Do you like below code?
-		mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+		mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));

Thanks,
Heming

>   		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
>   			mlog(ML_ERROR, "bad root_blkno: 0\n");
>   		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ