* [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
@ 2022-03-03 23:09 bugzilla-daemon
2022-03-04 1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-03 23:09 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215657
Bug ID: 215657
Summary: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c
when mount and operate a corrupted image
Product: File System
Version: 2.5
Kernel Version: 5.17-rc4, 5.17-rc6
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: wenqingliu0120@gmail.com
Regression: No
Created attachment 300527
--> https://bugzilla.kernel.org/attachment.cgi?id=300527&action=edit
poc and .config
- Overview
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and
operate a corrupted image
- Reproduce
tested on kernel 5.17-rc4, 5.17-rc6
# mkdir test_crash
# cd test_crash
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh f2fs 2
- Kernel dump
[ 46.434454] loop0: detected capacity change from 0 to 131072
[ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[ 46.738319]
================================================================================
[ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[ 46.738475] index 231 is out of range for type 'unsigned int [2]'
[ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 46.738551] Call Trace:
[ 46.738556] <TASK>
[ 46.738563] dump_stack_lvl+0x47/0x5c
[ 46.738581] ubsan_epilogue+0x5/0x50
[ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80
[ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[ 46.738819] do_write_page+0xef/0x210 [f2fs]
[ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[ 46.739038] __write_node_page+0x2b7/0x920 [f2fs]
[ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[ 46.739268] ? __inode_wait_for_writeback+0xd1/0x120
[ 46.739283] ? iput+0xd6/0x390
[ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs]
[ 46.739507] deactivate_locked_super+0x60/0xc0
[ 46.739517] deactivate_super+0x70/0xb0
[ 46.739524] cleanup_mnt+0x11a/0x200
[ 46.739532] __cleanup_mnt+0x16/0x20
[ 46.739538] task_work_run+0x67/0xa0
[ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0
[ 46.739559] syscall_exit_to_user_mode+0x26/0x40
[ 46.739568] do_syscall_64+0x46/0xb0
[ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 46.739594] RIP: 0033:0x7f7b9d28a657
[ 46.739602] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[ 46.739608] RSP: 002b:00007ffd5f511d68 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[ 46.739616] RAX: 0000000000000000 RBX: 0000558790c51420 RCX:
00007f7b9d28a657
[ 46.739620] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000558790c590b0
[ 46.739623] RBP: 0000000000000000 R08: 0000558790c598a0 R09:
0000000000000004
[ 46.739626] R10: 000000000000000b R11: 0000000000000246 R12:
0000558790c590b0
[ 46.739630] R13: 00007f7b9d7ac8a4 R14: 0000558790c51600 R15:
0000000000000000
[ 46.739637] </TASK>
[ 46.739711]
================================================================================
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
@ 2022-03-04 1:51 ` bugzilla-daemon
2022-03-07 18:17 ` bugzilla-daemon
2022-04-28 9:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-04 1:51 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215657
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
Hi Wenqing,
Thanks for your report.
I've posted a patch to fix this issue, could you please help to verify this?
https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-chao@kernel.org/T/#u
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
2022-03-04 1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
@ 2022-03-07 18:17 ` bugzilla-daemon
2022-04-28 9:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-03-07 18:17 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215657
--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
(In reply to Chao Yu from comment #1)
> Hi Wenqing,
>
> Thanks for your report.
>
> I've posted a patch to fix this issue, could you please help to verify this?
>
> https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-
> chao@kernel.org/T/#u
Hi, Chao,
Thanks for the fix, I tested it on 5.17-rc6 and the array-index-out-of-bounds
wouldn't be triggered anymore.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215657] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
2022-03-04 1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
2022-03-07 18:17 ` bugzilla-daemon
@ 2022-04-28 9:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2022-04-28 9:05 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215657
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |CODE_FIX
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-28 9:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-03 23:09 [f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image bugzilla-daemon
2022-03-04 1:51 ` [f2fs-dev] [Bug 215657] " bugzilla-daemon
2022-03-07 18:17 ` bugzilla-daemon
2022-04-28 9:05 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.