lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e068a56d-959c-43ad-aaea-839b89344693@suse.com>
Date: Thu, 19 Sep 2024 15:44:38 +0800
From: "heming.zhao@...e.com" <heming.zhao@...e.com>
To: Mohammed Anees <pvmohammedanees2003@...il.com>,
 ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc: Mark Fasheh <mark@...heh.com>, Joel Becker <jlbec@...lplan.org>,
 Joseph Qi <joseph.qi@...ux.alibaba.com>,
 syzbot+18a87160c7d64ba2e2f6@...kaller.appspotmail.com
Subject: Re: [PATCH 2/2] osfs2: Fix kernel BUG in ocfs2_write_cluster



On 9/19/24 01:20, Mohammed Anees wrote:
> syzbot has found a kernel BUG in ocfs2_write_cluster_by_desc [1].
> 
> The issue arises because ocfs2_insert_extent receives start_blk
> as 0, which incorrectly maps to a physical address of 0. This
> occurs when block is 0 after the call to ocfs2_clusters_to_blocks
> which is invoked inside the ocfs2_add_clusters_in_btree. The block
> value is then passed to ocfs2_insert_extent, leading to the problem.
> 
> [1] https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6
> 
> Reported-and-tested-by: syzbot+18a87160c7d64ba2e2f6@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6
> Signed-off-by: Mohammed Anees <pvmohammedanees2003@...il.com>
> ---
>   fs/ocfs2/alloc.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 395e23920..926ffeed8 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -4843,6 +4843,13 @@ int ocfs2_add_clusters_in_btree(handle_t *handle,
>   	}
>   
>   	block = ocfs2_clusters_to_blocks(osb->sb, bit_off);> +	if (block == 0) {
> +		mlog(ML_ERROR, "Conversion resulted in zero block number");
> +		status = -EIO;
> +		need_free = 1;
> +		goto bail;
> +	}
> +

If you check this function, there is no IO operation, so -EIO is not suitable.
In the the ocfs2_clusters_to_blocks() code, there are two possible cases where
the result is zero:
bit_off is 0 or bit_off is out of range for a u64 after a bit shift.
It seems that the root cause is that __ocfs2_claim_clusters allocates an
incorrect bit_off.

-Heming

>   	trace_ocfs2_add_clusters_in_btree(
>   	     (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),
>   	     bit_off, num_bits);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ