Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree

From: Anup Sharma <anupnewsmail@gmail.com>
To: shaggy@kernel.org, r33s3n6@gmail.com, mudongliangabcd@gmail.com,
	 liushixin2@huawei.com, wuhoipok@gmail.com,
	 jfs-discussion@lists.sourceforge.net,
	 linux-kernel-mentees@lists.linuxfoundation.org,
	linux-kernel@vger.kernel.org,  skhan@linuxfoundation.org
Subject: Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
Date: Sun, 7 May 2023 10:58:53 +0530	[thread overview]
Message-ID: <CAJPAYX=D6aTGOPsOzep2Eq6FaocqDUwGBTzC-c_6n5w8H_AvBA@mail.gmail.com> (raw)
In-Reply-To: <ZDla2Nuyq2QLdo96@yoga>

[-- Attachment #1.1: Type: text/plain, Size: 4057 bytes --]

On Fri, 14 Apr 2023 at 19:23, anupsharma <anupnewsmail@gmail.com> wrote:

> Syzkaller reported the following issue:
>          option from the mount to silence this warning.
> =======================================================
> find_entry called with index = 0
> read_mapping_page failed!
> ERROR: (device loop0): txCommit:
> ERROR: (device loop0): remounting filesystem as read-only
>
> ================================================================================
> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
> shift exponent 134217736 is too large for 64-bit type 'long long'
> CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted
> 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 03/02/2023
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
>  ubsan_epilogue lib/ubsan.c:217 [inline]
>  __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
>  dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
>  txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
>  xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
>  jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
>  jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
>  evict+0x2a4/0x620 fs/inode.c:665
>  __dentry_kill+0x436/0x650 fs/dcache.c:607
>  shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
>  shrink_dcache_parent+0xcd/0x480
>  do_one_tree+0x23/0xe0 fs/dcache.c:1682
>  shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
>  generic_shutdown_super+0x67/0x340 fs/super.c:472
>  kill_block_super+0x7e/0xe0 fs/super.c:1398
>  deactivate_locked_super+0xa4/0x110 fs/super.c:331
>  cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
>  task_work_run+0x24a/0x300 kernel/task_work.c:179
>  exit_task_work include/linux/task_work.h:38 [inline]
>  do_exit+0x68f/0x2290 kernel/exit.c:869
>  do_group_exit+0x206/0x2c0 kernel/exit.c:1019
>  __do_sys_exit_group kernel/exit.c:1030 [inline]
>  __se_sys_exit_group kernel/exit.c:1028 [inline]
>  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa87e2289b9
> Code: Unable to access opcode bytes at 0x7fa87e22898f.
> RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
> R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
>  </TASK>
>
> ================================================================================
>
> db_l2nbperpage which is used as a shift exponent to get the buffer
> for the current dmap will be less than and equal to 64.
>
> Tested via syzbot.
>
> Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
> Link:
> https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
>
> Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
> ---
>  fs/jfs/jfs_dmap.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..d2cf56dd8f91 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
>                 err = -EINVAL;
>                 goto err_release_metapage;
>         }
> -
> +       if (bmp->db_l2nbperpage >= 64) {
> +               err = -EINVAL;
> +               goto err_release_metapage;
> +       }
>         bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
>         bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
>         bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
> --
> 2.34.1
>
> Hello All,
Just wanted to follow up on this patch submitted earlier. May I please
request
a review and feedback on this patch.
Thanks,
Anup

[-- Attachment #1.2: Type: text/html, Size: 5087 bytes --]

[-- Attachment #2: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees