| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5wws3jiutruexkk4wl34wootqtfggj2h6ezrbemvtn7ykgsumq@3komfzq36st4>
Date: Fri, 19 Dec 2025 12:12:47 +0800
From: Heming Zhao <heming.zhao@...e.com>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+151afab124dfbc5f15e6@...kaller.appspotmail.com,
jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, linux-kernel@...r.kernel.org,
mark@...heh.com, ocfs2-devel@...ts.linux.dev, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] ocfs2: fix oob in __ocfs2_find_path
On Mon, Dec 15, 2025 at 10:09:32PM +0800, Edward Adam Davis wrote:
> Patch d358e5254674 modifies the definition of the array l_recs, specifying
> the number of its members as l_count. In the path shown in [1], it will
> first read the inode block where the system file directory is located
> from the disk, and then read the l_count of each extension block from
> the disk according to the extension list of the directory. Then the
> value is 0 before l_count is read. If the array l_recs member is directly
> accessed, the oob in [1] will be triggered.
>
> Use the rec pointer directly to access the extension block number to
> prevent the oob reported in [1].
>
> [1]
> UBSAN: array-index-out-of-bounds in fs/ocfs2/alloc.c:1838:11
> index 0 is out of range for type 'struct ocfs2_extent_rec[] __counted_by(l_count)' (aka 'struct ocfs2_extent_rec[]')
> Call Trace:
> __ocfs2_find_path+0x606/0xa40 fs/ocfs2/alloc.c:1838
> ocfs2_find_leaf+0xab/0x1c0 fs/ocfs2/alloc.c:1946
> ocfs2_get_clusters_nocache+0x172/0xc60 fs/ocfs2/extent_map.c:418
> ocfs2_get_clusters+0x505/0xa70 fs/ocfs2/extent_map.c:631
> ocfs2_extent_map_get_blocks+0x202/0x6a0 fs/ocfs2/extent_map.c:678
> ocfs2_read_virt_blocks+0x286/0x930 fs/ocfs2/extent_map.c:1001
> ocfs2_read_dir_block fs/ocfs2/dir.c:521 [inline]
> ocfs2_find_entry_el fs/ocfs2/dir.c:728 [inline]
> ocfs2_find_entry+0x3e4/0x2090 fs/ocfs2/dir.c:1120
> ocfs2_find_files_on_disk+0xdf/0x310 fs/ocfs2/dir.c:2023
> ocfs2_lookup_ino_from_name+0x52/0x100 fs/ocfs2/dir.c:2045
> _ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
> ocfs2_get_system_file_inode+0x326/0x770 fs/ocfs2/sysfile.c:112
> ocfs2_init_global_system_inodes+0x319/0x660 fs/ocfs2/super.c:461
> ocfs2_initialize_super fs/ocfs2/super.c:2196 [inline]
> ocfs2_fill_super+0x4432/0x65b0 fs/ocfs2/super.c:993
> get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
> vfs_get_tree+0x92/0x2a0 fs/super.c:1751
> fc_mount fs/namespace.c:1199 [inline]
>
> Fixes: d358e5254674 ("ocfs2: annotate flexible array members with __counted_by_le()")
> Reported-by: syzbot+151afab124dfbc5f15e6@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=151afab124dfbc5f15e6
> Signed-off-by: Edward Adam Davis <eadavis@...com>
First, the commit id d358e5254674 is incorrect, the correct one is
2f26f58df041bbcf692730ff4d8ab0f250d9670d.
All __ocfs2_find_path() operations occur in memory, meaning there are no I/O
operations involeved.
>From the error msg "index 0 is out of range ...", we can deduce that both 'i'
and 'el->l_count' are zero. This is an impossible scenario in normal volume.
Therefore, the syzbot may have crafted a struct ocfs2_extent_rec where
el->l_count is 0.
I suggest you use this patch as a fix:
https://syzkaller.appspot.com/text?tag=Patch&x=14eb331a580000
Thanks,
Heming
> ---
> fs/ocfs2/alloc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 58bf58b68955..1ab0b9095a7a 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -1836,7 +1836,7 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
> break;
> }
>
> - blkno = le64_to_cpu(el->l_recs[i].e_blkno);
> + blkno = le64_to_cpu(rec->e_blkno);
> if (blkno == 0) {
> ocfs2_error(ocfs2_metadata_cache_get_super(ci),
> "Owner %llu has bad blkno in extent list at depth %u (index %d)\n",
> --
> 2.43.0
>
>
Powered by blists - more mailing lists