lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0a4b798a-db82-40da-9167-141b684f43fa@suse.com>
Date: Mon, 23 Sep 2024 16:15:53 +0800
From: "heming.zhao@...e.com" <heming.zhao@...e.com>
To: syzbot <syzbot+18a87160c7d64ba2e2f6@...kaller.appspotmail.com>
Cc: Joseph Qi <joseph.qi@...ux.alibaba.com>, linux-kernel@...r.kernel.org,
 ocfs2-devel@...ts.linux.dev, Mohammed Anees <pvmohammedanees2003@...il.com>,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_write_cluster_by_desc

Regarding the mail thread: [PATCH 2/2] osfs2: Fix kernel BUG in ocfs2_write_cluster

Both ocfs2_search_chain and ocfs2_search_one_group call ocfs2_cluster_group_search to search for an extent cluster block. It seems that the ocfs2_cluster_group_search() sets wrong res->sr_bit_offset.

Just from the code logic, in ocfs2_block_group_find_clear_bits(), the ocfs2_find_next_zero_bit() returns ZERO which can trigger this bug. But in the real world, this function never return 0, because the 0-bit is always set to 1 for the cluster-group itself.

let's verify my thoughts.

#syz test

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index f7b483f0de2a..d4e563281c9e 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1346,13 +1346,17 @@ static int ocfs2_block_group_find_clear_bits(struct ocfs2_super *osb,
  
  	/* best_size will be allocated, we save prev_best_size */
  	res->sr_max_contig_bits = prev_best_size;
-	if (best_size) {
-		res->sr_bit_offset = best_offset;
-		res->sr_bits = best_size;
-	} else {
+	if (!best_size) {
  		status = -ENOSPC;
-		/* No error log here -- see the comment above
-		 * ocfs2_test_bg_bit_allocatable */
+	} else {
+		if (best_size) {
+			res->sr_bit_offset = best_offset;
+			res->sr_bits = best_size;
+		} else {
+			status = -ENOSPC;
+			/* No error log here -- see the comment above
+			 * ocfs2_test_bg_bit_allocatable */
+		}
  	}
  
  	return status;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ