All of lore.kernel.org
 help / color / mirror / Atom feed
* [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
@ 2022-03-03 23:09 bugzilla-daemon
  2022-03-04  1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-03 23:09 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215657

            Bug ID: 215657
           Summary: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c
                    when mount and operate a corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: 5.17-rc4, 5.17-rc6
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: wenqingliu0120@gmail.com
        Regression: No

Created attachment 300527
  --> https://bugzilla.kernel.org/attachment.cgi?id=300527&action=edit
poc and .config

- Overview 
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and
operate a corrupted image

- Reproduce 
tested on kernel 5.17-rc4, 5.17-rc6

# mkdir test_crash
# cd test_crash 
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh f2fs 2

- Kernel dump
[   46.434454] loop0: detected capacity change from 0 to 131072
[   46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[   46.738319]
================================================================================
[   46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[   46.738475] index 231 is out of range for type 'unsigned int [2]'
[   46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[   46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[   46.738551] Call Trace:
[   46.738556]  <TASK>
[   46.738563]  dump_stack_lvl+0x47/0x5c
[   46.738581]  ubsan_epilogue+0x5/0x50
[   46.738592]  __ubsan_handle_out_of_bounds+0x68/0x80
[   46.738604]  f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[   46.738819]  do_write_page+0xef/0x210 [f2fs]
[   46.738934]  f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[   46.739038]  __write_node_page+0x2b7/0x920 [f2fs]
[   46.739162]  f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[   46.739268]  ? __inode_wait_for_writeback+0xd1/0x120
[   46.739283]  ? iput+0xd6/0x390
[   46.739293]  f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[   46.739405]  kill_f2fs_super+0x125/0x150 [f2fs]
[   46.739507]  deactivate_locked_super+0x60/0xc0
[   46.739517]  deactivate_super+0x70/0xb0
[   46.739524]  cleanup_mnt+0x11a/0x200
[   46.739532]  __cleanup_mnt+0x16/0x20
[   46.739538]  task_work_run+0x67/0xa0
[   46.739547]  exit_to_user_mode_prepare+0x18c/0x1a0
[   46.739559]  syscall_exit_to_user_mode+0x26/0x40
[   46.739568]  do_syscall_64+0x46/0xb0
[   46.739584]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   46.739594] RIP: 0033:0x7f7b9d28a657
[   46.739602] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[   46.739608] RSP: 002b:00007ffd5f511d68 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[   46.739616] RAX: 0000000000000000 RBX: 0000558790c51420 RCX:
00007f7b9d28a657
[   46.739620] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000558790c590b0
[   46.739623] RBP: 0000000000000000 R08: 0000558790c598a0 R09:
0000000000000004
[   46.739626] R10: 000000000000000b R11: 0000000000000246 R12:
0000558790c590b0
[   46.739630] R13: 00007f7b9d7ac8a4 R14: 0000558790c51600 R15:
0000000000000000
[   46.739637]  </TASK>
[   46.739711]
================================================================================

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
  2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
@ 2022-03-04  1:51 ` bugzilla-daemon
  2022-03-07 18:17 ` bugzilla-daemon
  2022-04-28  9:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-04  1:51 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215657

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |chao@kernel.org

--- Comment #1 from Chao Yu (chao@kernel.org) ---
Hi Wenqing,

Thanks for your report.

I've posted a patch to fix this issue, could you please help to verify this?

https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-chao@kernel.org/T/#u

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
  2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
  2022-03-04  1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
@ 2022-03-07 18:17 ` bugzilla-daemon
  2022-04-28  9:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-07 18:17 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215657

--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
(In reply to Chao Yu from comment #1)
> Hi Wenqing,
> 
> Thanks for your report.
> 
> I've posted a patch to fix this issue, could you please help to verify this?
> 
> https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-
> chao@kernel.org/T/#u

Hi, Chao,

Thanks for the fix, I tested it on 5.17-rc6 and the array-index-out-of-bounds
wouldn't be triggered anymore.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
  2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
  2022-03-04  1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
  2022-03-07 18:17 ` bugzilla-daemon
@ 2022-04-28  9:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-04-28  9:05 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215657

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |CODE_FIX

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-28  9:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
2022-03-04  1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
2022-03-07 18:17 ` bugzilla-daemon
2022-04-28  9:05 ` bugzilla-daemon

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.