lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANypQFb0NeToJrTY5PQi57K_440xQJ1uUS2pMOKqLsqTdEGbRw@mail.gmail.com>
Date: Mon, 17 Nov 2025 14:54:30 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: linkinjeon@...nel.org, linux-fsdevel@...r.kernel.org, 
	sj1557.seo@...sung.com
Cc: linux-kernel@...r.kernel.org, yuezhang.mo@...y.com, 
	syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] divide error in exfat_load_bitmap

Dear Linux kernel developers and maintainers,

We are writing to report a divide error bug discovered in the exfat
subsystem. This bug is reproducible on the latest version (v6.18-rc6,
commit 6a23ae0a96a600d1d12557add110e0bb6e32730c).

The root cause is in exfat_allocate_bitmap(), the variable
max_ra_count can be 0, which causes a divide-by-zero error in the
subsequent modulo operation (i % max_ra_count), leading to a system
crash.

As a potential fix, we can add a zero check before the loop, for example:

```
static int exfat_allocate_bitmap(struct super_block *sb,
    struct exfat_dentry *ep)
{
  struct exfat_sb_info *sbi = EXFAT_SB(sb);

    ...

  sector = exfat_cluster_to_sector(sbi, sbi->map_clu);
  max_ra_count = min(sb->s_bdi->ra_pages, sb->s_bdi->io_pages) <<
    (PAGE_SHIFT - sb->s_blocksize_bits);
+ if (!max_ra_count) {
+   i = 0;
+   goto err_out;
+ }
  for (i = 0; i < sbi->map_sectors; i++) {
    /* Trigger the next readahead in advance. */
    if (0 == (i % max_ra_count)) {
            ...
```

If this solution is acceptable, we are happy to prepare and submit a
patch immediately.

The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to help with analysis. The KASAN report from
v6.18-rc6, formatted by syz-symbolize, is listed below:

---

loop1: detected capacity change from 0 to 256
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 9708 Comm: repro.out Not tainted 6.18.0-rc6 #22 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:exfat_allocate_bitmap fs/exfat/balloc.c:109 [inline]
RIP: 0010:exfat_load_bitmap+0x69d/0x10c0 fs/exfat/balloc.c:159
Code: 24 78 45 31 ff 48 89 44 24 28 48 c1 e8 03 48 89 84 24 88 00 00
00 4c 89 e8 48 c1 e8 03 48 89 84 24 80 00 00 00 44 89 f8 31 d2 <f7> 74
24 30 41 89 d6 31 ff 89 d6 e8 e3 b0 24 ff 45 85 f6 4c 89 fb
RSP: 0018:ffffc90011b9f860 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90011b9fa10 R08: 0000000000000cc0 R09: 00000000ffffffff
R10: 000000000000000b R11: ffffffff81c646c6 R12: dffffc0000000000
R13: ffff8880522d8018 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000010746300(0000) GS:ffff8880ec992000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004bf938 CR3: 000000001c7c6000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
 <TASK>
 __exfat_fill_super fs/exfat/super.c:623 [inline]
 exfat_fill_super+0x12c6/0x29c0 fs/exfat/super.c:668
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
 vfs_get_tree+0x92/0x2b0 fs/super.c:1751
 fc_mount fs/namespace.c:1208 [inline]
 do_new_mount_fc fs/namespace.c:3651 [inline]
 do_new_mount+0x302/0xa10 fs/namespace.c:3727
 do_mount fs/namespace.c:4050 [inline]
 __do_sys_mount fs/namespace.c:4238 [inline]
 __se_sys_mount+0x313/0x410 fs/namespace.c:4215
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x45234a
Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8
00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5246d6f8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 000000000045234a
RDX: 0000000020001500 RSI: 0000000020001540 RDI: 00007ffd5246d840
RBP: 00007ffd5246d8d0 R08: 00007ffd5246d740 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000409da0
R13: 0000000000000000 R14: 00000000004bd018 R15: 00000000004004a0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:exfat_allocate_bitmap fs/exfat/balloc.c:109 [inline]
RIP: 0010:exfat_load_bitmap+0x69d/0x10c0 fs/exfat/balloc.c:159
Code: 24 78 45 31 ff 48 89 44 24 28 48 c1 e8 03 48 89 84 24 88 00 00
00 4c 89 e8 48 c1 e8 03 48 89 84 24 80 00 00 00 44 89 f8 31 d2 <f7> 74
24 30 41 89 d6 31 ff 89 d6 e8 e3 b0 24 ff 45 85 f6 4c 89 fb
RSP: 0018:ffffc90011b9f860 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90011b9fa10 R08: 0000000000000cc0 R09: 00000000ffffffff
R10: 000000000000000b R11: ffffffff81c646c6 R12: dffffc0000000000
R13: ffff8880522d8018 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000010746300(0000) GS:ffff8880ec992000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004bf938 CR3: 000000001c7c6000 CR4: 0000000000752ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:   24 78                   and    $0x78,%al
   2:   45 31 ff                xor    %r15d,%r15d
   5:   48 89 44 24 28          mov    %rax,0x28(%rsp)
   a:   48 c1 e8 03             shr    $0x3,%rax
   e:   48 89 84 24 88 00 00    mov    %rax,0x88(%rsp)
  15:   00
  16:   4c 89 e8                mov    %r13,%rax
  19:   48 c1 e8 03             shr    $0x3,%rax
  1d:   48 89 84 24 80 00 00    mov    %rax,0x80(%rsp)
  24:   00
  25:   44 89 f8                mov    %r15d,%eax
  28:   31 d2                   xor    %edx,%edx
* 2a:   f7 74 24 30             divl   0x30(%rsp) <-- trapping instruction
  2e:   41 89 d6                mov    %edx,%r14d
  31:   31 ff                   xor    %edi,%edi
  33:   89 d6                   mov    %edx,%esi
  35:   e8 e3 b0 24 ff          call   0xff24b11d
  3a:   45 85 f6                test   %r14d,%r14d
  3d:   4c 89 fb                mov    %r15,%rbx

---

Please let me know if any further information is required.

Best Regards,
Jiaming Zhang

View attachment "repro.c" of type "text/plain" (42517 bytes)

Download attachment "report" of type "application/octet-stream" (4415 bytes)

Download attachment "repro.syz" of type "application/octet-stream" (7352 bytes)

Download attachment "kernel.log" of type "application/octet-stream" (189428 bytes)

Download attachment ".config" of type "application/xml" (272414 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ