lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <67900184.050a0220.15cac.00db.GAE@google.com>
Date: Tue, 21 Jan 2025 12:20:20 -0800
From: syzbot <syzbot+b974bd41515f770c608b@...kaller.appspotmail.com>
To: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org, 
	shaggy@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

syzbot has found a reproducer for the following issue on:

HEAD commit:    1950a0af2d55 Merge tag 'arm64-upstream' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=113b2424580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cd5bb525e2b2bae
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11d0d618580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153b2424580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1ebe061fa55c/disk-1950a0af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/943902875907/vmlinux-1950a0af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b5110e82096/Image-1950a0af.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6e79f480238f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b974bd41515f770c608b@...kaller.appspotmail.com

 ... Log Wrap ... Log Wrap ... Log Wrap ...
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2649:28
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 UID: 0 PID: 6414 Comm: syz-executor126 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:429
 add_missing_indices+0x6e4/0xa8c fs/jfs/jfs_dtree.c:2649
 jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:65
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x408/0x648 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64 fs/readdir.c:389 [inline]
 __arm64_sys_getdents64+0x1c0/0x490 fs/readdir.c:389
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---[ end trace ]---
==================================================================
BUG: KASAN: slab-out-of-bounds in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Read of size 32 at addr ffff0000dea84108 by task syz-executor126/6414

CPU: 1 UID: 0 PID: 6414 Comm: syz-executor126 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
 diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
 txCommit+0x750/0x5504 fs/jfs/jfs_txnmgr.c:1255
 add_missing_indices+0x760/0xa8c fs/jfs/jfs_dtree.c:2663
 jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:65
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x408/0x648 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64 fs/readdir.c:389 [inline]
 __arm64_sys_getdents64+0x1c0/0x490 fs/readdir.c:389
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000dea84088
 which belongs to the cache jfs_ip of size 2232
The buggy address is located 128 bytes inside of
 allocated 2232-byte region [ffff0000dea84088, ffff0000dea84940)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ea80
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c486ec80 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000001f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c486ec80 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000001f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc37aa001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dea84000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dea84080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000dea84100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff0000dea84180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dea84200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...

ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0

ERROR: (device loop0): remounting filesystem as read-only
JFS: Invalid stbl[1] = -128 for inode 2, block = 0


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ