From: butt3rflyh4ck <butterflyhuangxx@gmail.com>
To: Dave Kleikamp <dave.kleikamp@oracle.com>
Cc: jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: UBSAN: array-index-out-of-bounds in dbAdjTree
Date: Fri, 20 Nov 2020 17:50:24 +0800 [thread overview]
Message-ID: <CAFcO6XOOOCLwdcK3enSV3Ap-PZmY8RTu2ifgKRJX+pdmhaq5uA@mail.gmail.com> (raw)
In-Reply-To: <298485e2-01de-048d-5515-44ac254167e4@oracle.com>
You are welcome and have you submitted the patch to linux upstream ?
If you have no time do that and I can do it.
On Sun, Nov 15, 2020 at 12:17 AM Dave Kleikamp <dave.kleikamp@oracle.com> wrote:
>
> Thanks for reporting and testing this!
>
> Shaggy
>
> On 11/14/20 7:55 AM, butt3rflyh4ck wrote:
> > Yes, I have tested the patch, it seem to fix the problem.
> >
> > Regard,
> > butt3rflyh4ck.
> >
> > On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp <dave.kleikamp@oracle.com> wrote:
> >>
> >> On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
> >>> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> >>> kernel fuzz.
> >>>
> >>> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
> >>>
> >>> and can reproduce.
> >>>
> >>> the dmtree_t is that
> >>> typedef union dmtree {
> >>> struct dmaptree t1;
> >>> struct dmapctl t2;
> >>> } dmtree_t;
> >>>
> >>> the dmaptree is that
> >>> struct dmaptree {
> >>> __le32 nleafs; /* 4: number of tree leafs */
> >>> __le32 l2nleafs; /* 4: l2 number of tree leafs */
> >>> __le32 leafidx; /* 4: index of first tree leaf */
> >>> __le32 height; /* 4: height of the tree */
> >>> s8 budmin; /* 1: min l2 tree leaf value to combine */
> >>> s8 stree[TREESIZE]; /* TREESIZE: tree */
> >>> u8 pad[2]; /* 2: pad to word boundary */
> >>> };
> >>> the TREESIZE is totally 341, but the leafidx type is __le32.
> >>
> >> Does this patch fix the problem?
> >>
> >> jfs: Fix array index bounds check in dbAdjTree
> >>
> >> Bounds checking tools can flag a bug in dbAdjTree() for an array index
> >> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
> >> both structures dmaptree and dmapctl, use the larger array to eliminate
> >> the false positive.
> >>
> >> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
> >> ---
> >> fs/jfs/jfs_dmap.h | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
> >> index 29891fad3f09..aa03a904d5ab 100644
> >> --- a/fs/jfs/jfs_dmap.h
> >> +++ b/fs/jfs/jfs_dmap.h
> >> @@ -183,7 +183,7 @@ typedef union dmtree {
> >> #define dmt_leafidx t1.leafidx
> >> #define dmt_height t1.height
> >> #define dmt_budmin t1.budmin
> >> -#define dmt_stree t1.stree
> >> +#define dmt_stree t2.stree
> >>
> >> /*
> >> * on-disk aggregate disk allocation map descriptor.
> >> --
> >> 2.29.2
> >>
next prev parent reply other threads:[~2020-11-20 9:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-08 17:00 UBSAN: array-index-out-of-bounds in dbAdjTree butt3rflyh4ck
2020-11-13 21:16 ` Dave Kleikamp
2020-11-14 13:55 ` butt3rflyh4ck
2020-11-14 16:14 ` Dave Kleikamp
2020-11-20 9:50 ` butt3rflyh4ck [this message]
2020-11-20 9:52 ` butt3rflyh4ck
2020-11-20 14:59 ` Dave Kleikamp
2021-01-20 19:57 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFcO6XOOOCLwdcK3enSV3Ap-PZmY8RTu2ifgKRJX+pdmhaq5uA@mail.gmail.com \
--to=butterflyhuangxx@gmail.com \
--cc=dave.kleikamp@oracle.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.