From patchwork Wed Mar 27 17:40:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1916954 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V4Yqb2bl2z1yWv for ; Thu, 28 Mar 2024 04:40:59 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rpXGX-00052M-QL; Wed, 27 Mar 2024 17:40:45 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rpXGR-00051d-0L for kernel-team@lists.ubuntu.com; Wed, 27 Mar 2024 17:40:39 +0000 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B3D383F20D for ; Wed, 27 Mar 2024 17:40:38 +0000 (UTC) Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-5a58de10f69so53059eaf.1 for ; Wed, 27 Mar 2024 10:40:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711561237; x=1712166037; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=apTUqNMDB4Ta8FXXlmVFQolLWWi85GeYeBYpbnNrt8k=; b=TGFu5nH9xr5QYa7G+nZGhgqtl8I+QgrkmxAxzWFgYC39ewS5eX60JooP7IwhaIlFX6 HEgU7u3S/P+4wjnhtle74jTGRomeru27KK8ii4Oow+Tl5xzJhCHQjuQKbkD4APRCx5iT HjGA0JKszVm3ui9S5VWOyYuLTJF7rZDM/MpXHpH+xnYNmb4VBGYDb0SQ3BEsTL94lGbi MQ8JlQqAJ5iT5nMRSY7Sea8BW/L1F/oIA/ceJ3W7J6MTzxH3c2Tj7DWK/F9bJLFSSpxI u9R0BqKPlC947VadQ4TqFeOzdAdLQTwLxjJqATeOGTwBZNM1n8WjCJUit2sPf1qqUssD ldvw== X-Gm-Message-State: AOJu0Yy64x+SUmpB3AEmxDwfnezPXmJ8c4X1NRtVNAYSFlVtSHE3saGV XK7dfvzsG+xinRsgDnyfoW36NH7GQNjq0k55/VlAOw/YdaGIH3AZi7fnNkdZ3BLwjuJ/2krrmSL MME0VKHet6aN6qZcF1BLfSKdKMudl6MqDsLxgLreLYI8EabiURE9C/zgRzXsvHcS3liquX2EUzz vatDLtJCq0o1XU X-Received: by 2002:a05:6358:71d:b0:181:65b7:b455 with SMTP id e29-20020a056358071d00b0018165b7b455mr58370rwj.15.1711561237261; Wed, 27 Mar 2024 10:40:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGnWPdZ0hMUoP/SSHUPQn40DhgTjTLGiQNU3o5COTVneOu9LkHtH4Si5M2ovyII72grxAm7jw== X-Received: by 2002:a05:6358:71d:b0:181:65b7:b455 with SMTP id e29-20020a056358071d00b0018165b7b455mr58349rwj.15.1711561236892; Wed, 27 Mar 2024 10:40:36 -0700 (PDT) Received: from smtp.gmail.com ([2001:67c:1562:8007::aac:48f9]) by smtp.gmail.com with ESMTPSA id v19-20020a634653000000b005ce998b9391sm9442013pgk.67.2024.03.27.10.40.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 10:40:36 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/J/F][PATCH 1/1] UBSAN: array-index-out-of-bounds in dtSplitRoot Date: Wed, 27 Mar 2024 12:40:28 -0500 Message-Id: <20240327174028.14953-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240327174028.14953-1-bethany.jamison@canonical.com> References: <20240327174028.14953-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Osama Muhammad Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot. Reported-and-tested-by: syzbot+d4b1df2e9d4ded6488ec@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec Signed-off-by: Osama Muhammad Signed-off-by: Dave Kleikamp (cherry picked from commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16) CVE-2023-52603 Signed-off-by: Bethany Jamison --- fs/jfs/jfs_dtree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c index 92b7c533407c1..f3d3e8b3f50cd 100644 --- a/fs/jfs/jfs_dtree.c +++ b/fs/jfs/jfs_dtree.c @@ -1970,7 +1970,7 @@ static int dtSplitRoot(tid_t tid, do { f = &rp->slot[fsi]; fsi = f->next; - } while (fsi != -1); + } while (fsi >= 0); f->next = n; }