korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-21 20:22:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
9862ec7ac1
linux/fs/jfs
History
Osama Muhammad 9862ec7ac1 FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree 
Syzkaller reported the following issue:

UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6
index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348
 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
 dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
 txUpdateMap+0x342/0x9e0
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 panic+0x30f/0x770 kernel/panic.c:340
 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236
 ubsan_epilogue lib/ubsan.c:223 [inline]
 __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348
 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867
 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834
 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331
 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]
 dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402
 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
 txUpdateMap+0x342/0x9e0
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..

The issue is caused when the value of lp becomes greater than
CTLTREESIZE which is the max size of stree. Adding a simple check
solves this issue.

Dave:
As the function returns a void, good error handling
would require a more intrusive code reorganization, so I modified
Osama's patch at use WARN_ON_ONCE for lack of a cleaner option.

The patch is tested via syzbot.

Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb
Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
2023-11-21 15:26:33 -06:00
..
acl.c jfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
file.c splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
inode.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
ioctl.c jfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
jfs_acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
jfs_btree.h
jfs_debug.c
jfs_debug.h
jfs_dinode.h jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_discard.c
jfs_discard.h
jfs_dmap.c FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree 2023-11-21 15:26:33 -06:00
jfs_dmap.h
jfs_dtree.c fs/jfs: Remove dead code 2022-04-25 14:00:33 -05:00
jfs_dtree.h
jfs_extent.c jfs: validate max amount of blocks before allocation. 2023-08-29 12:25:47 -05:00
jfs_extent.h jfs: remove unused declarations for jfs 2022-10-18 08:50:26 -05:00
jfs_filsys.h jfs: jfs_dmap: Validate db_l2nbperpage while mounting 2023-06-20 12:37:50 -05:00
jfs_imap.c Minor stability improvements 2023-11-02 08:08:28 -10:00
jfs_imap.h
jfs_incore.h jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_inode.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
jfs_inode.h fs: port ->fileattr_set() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
jfs_lock.h
jfs_logmgr.c jfs: fix log->bdev_handle null ptr deref in lbmStartIO 2023-10-28 13:29:22 +02:00
jfs_logmgr.h jfs: Convert to bdev_open_by_dev() 2023-10-28 13:29:21 +02:00
jfs_metapage.c mm,jfs: move write_one_page/folio_write_one to jfs 2023-03-12 20:00:42 -04:00
jfs_metapage.h
jfs_mount.c jfs: Convert to bdev_open_by_dev() 2023-10-28 13:29:21 +02:00
jfs_superblock.h
jfs_txnmgr.c jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_txnmgr.h
jfs_types.h
jfs_umount.c jfs: Fix a typo in function jfs_umount 2022-11-10 15:08:00 -06:00
jfs_unicode.c
jfs_unicode.h fs/jfs: Use common ucs2 upper case table 2023-08-30 08:55:52 -05:00
jfs_xattr.h jfs: move jfs_xattr_handlers to .rodata 2023-10-09 16:24:19 +02:00
jfs_xtree.c jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
jfs_xtree.h jfs: define xtree root and page independently 2023-10-13 10:39:25 -05:00
Kconfig 22 smb3/cifs client fixes and two related changes (for unicode mapping) 2023-08-30 21:01:40 -07:00
Makefile fs/jfs: Use common ucs2 upper case table 2023-08-30 08:55:52 -05:00
namei.c jfs: convert to new timestamp accessors 2023-10-18 14:08:23 +02:00
resize.c jfs: use sb_bdev_nr_blocks 2021-10-18 14:43:23 -06:00
super.c vfs-6.7.fsid 2023-11-07 12:11:26 -08:00
symlink.c
xattr.c jfs: move jfs_xattr_handlers to .rodata 2023-10-09 16:24:19 +02:00