lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e5fb0013-ea4e-4da7-89e5-6b2b0879ecc9@linux.alibaba.com>
Date: Mon, 19 Aug 2024 10:52:29 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Heming Zhao <heming.zhao@...e.com>, qasdev <qasdev00@...il.com>,
 mark@...heh.com, jlbec@...lplan.org
Cc: ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ocfs2: Fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()



On 8/18/24 7:43 PM, Heming Zhao wrote:
> On 8/16/24 21:41, qasdev wrote:
>>  From ad1ca2fd2ecf4eb7ec2c76fcbbf34639f0ad87ca Mon Sep 17 00:00:00 2001
>> From: Qasim Ijaz <qasdev00@...il.com>
>> Date: Fri, 16 Aug 2024 02:30:25 +0100
>> Subject: [PATCH] ocfs2: Fix shift-out-of-bounds UBSAN bug in
>>   ocfs2_verify_volume()
>>

The above should be eliminated from patch body. 

>> This patch addresses a shift-out-of-bounds error in the
>> ocfs2_verify_volume() function, identified by UBSAN. The bug was triggered
>> by an invalid s_clustersize_bits value (e.g., 1548), which caused the
>> expression "1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)"
>> to exceed the limits of a 32-bit integer,
>> leading to an out-of-bounds shift.
>>
>> Reported-by: syzbot <syzbot+f3fff775402751ebb471@...kaller.appspotmail.com>
>> Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
>> Tested-by: syzbot <syzbot+f3fff775402751ebb471@...kaller.appspotmail.com>
>> Signed-off-by: Qasim Ijaz <qasdev00@...il.com>
>> ---
>>   fs/ocfs2/super.c | 8 ++++++--
>>   1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
>> index afee70125ae3..1e43cdca7f40 100644
>> --- a/fs/ocfs2/super.c
>> +++ b/fs/ocfs2/super.c
>> @@ -2357,8 +2357,12 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
>>                    (unsigned long long)bh->b_blocknr);
>>           } else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
>>                   le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
>> -            mlog(ML_ERROR, "bad cluster size found: %u\n",
>> -                 1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
>> +            if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 32)
>> +                mlog(ML_ERROR, "bad cluster size found: %u\n",
>> +                     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
>> +            else
>> +                mlog(ML_ERROR, "invalid cluster size bit value: %u\n",
>> +                     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> 
> I prefer to use concise code to fix the error.
> Do you like below code?
> -        mlog(ML_ERROR, "bad cluster size found: %u\n",
> -                 1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> +        mlog(ML_ERROR, "bad cluster size bit found: %u\n",
> +                 le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> 

Agree. qasdev, Could you please update and send v2?

Thanks,
Joseph

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ