| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADCV8souQhdP0RdQF1U7KTWtuHDfpn+3LnTt-EEuMmB-pMRrgQ@mail.gmail.com> Date: Fri, 3 Jan 2025 14:56:05 +0800 From: Liebes Wang <wanghaichi0403@...il.com> To: mark@...heh.com, jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org Cc: syzkaller@...glegroups.com Subject: kernel BUG in ocfs2_truncate_log_append Dear Linux maintainers and reviewers: We are reporting a Linux kernel bug titled **kernel BUG in ocfs2_truncate_log_append**, discovered using a modified version of Syzkaller. Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version) The test case and kernel config is in attach. The KASAN report is (The full report is attached): (syz.1.314,6679,0):ocfs2_truncate_log_append:5868 ERROR: bug expression: tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || tl_count == 0 (syz.1.314,6679,0):ocfs2_truncate_log_append:5868 ERROR: Truncate record count on #29 invalid wanted 39, actual 58716 ------------[ cut here ]------------ kernel BUG at fs/ocfs2/alloc.c:5868! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 6679 Comm: syz.1.314 Not tainted 6.12.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:ocfs2_truncate_log_append+0x8a8/0x990 fs/ocfs2/alloc.c:5868 Code: 00 00 00 4d 8b 85 88 f7 ff ff 55 41 89 d9 48 c7 c1 20 d5 4b 86 ba ec 16 00 00 48 c7 c6 20 e5 4b 86 4c 89 e7 e8 b9 32 1e 00 90 <0f> 0b e8 81 9b 0a ff e9 e5 f7 ff ff e8 77 9b 0a ff e9 04 f8 ff ff RSP: 0018:ff110001197bf658 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000027 RCX: ffa00000032b2000 RDX: 0000000000040000 RSI: ffffffff82b7bd73 RDI: 0000000000000001 RBP: 000000000000e55c R08: 0000000000000001 R09: ffe21c0099505141 R10: 000000000000e55c R11: 0000000000000000 R12: ff110001197bf6c8 R13: ff1100016caab338 R14: 1000000000000000 R15: ff1100016cb26bc8 FS: 00007efd6bc59700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8e27fb2020 CR3: 000000014ad04006 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> ocfs2_remove_btree_range+0xd3d/0x1710 fs/ocfs2/alloc.c:5789 ocfs2_commit_truncate+0x6da/0x1b30 fs/ocfs2/alloc.c:7353 ocfs2_truncate_file+0x47d/0x17d0 fs/ocfs2/file.c:509 ocfs2_setattr+0x140c/0x2320 fs/ocfs2/file.c:1212 notify_change+0x6d3/0x1270 fs/attr.c:503 do_truncate+0x143/0x200 fs/open.c:65 do_ftruncate+0x5d3/0x720 fs/open.c:181 do_sys_ftruncate+0x69/0xc0 fs/open.c:199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Content of type "text/html" skipped Download attachment "report0" of type "application/octet-stream" (12849 bytes) Download attachment "repro.c" of type "application/octet-stream" (85328 bytes) Download attachment "config" of type "application/octet-stream" (148405 bytes)
Powered by blists - more mailing lists