[syzbot] UBSAN: shift-out-of-bounds in diFree
8 views
Skip to first unread message
syzbot
Oct 1, 2022, 9:36:38 AM10/1/22
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 49c13ed0316d Merge tag 'soc-fixes-6.0-rc7' of git://git.ke..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10b106ef080000
kernel config: https://syzkaller.appspot.com/x/.config?x=755695d26ad09807
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c57cb06cb5a53b7b06
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f323ff080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148a2804880000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c57c...@syzkaller.appspotmail.com
ERROR: (device loop0): xtTruncate_pmap: XT_GETPAGE: xtree page corrupt
ERROR: (device loop0): remounting filesystem as read-only
ERROR: (device loop0): txAbort:
ERROR: (device loop0): xtTruncate: XT_GETPAGE: xtree page corrupt
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_imap.c:881:9
shift exponent 8205 is too large for 64-bit type 'long long unsigned int'
CPU: 0 PID: 3614 Comm: syz-executor393 Not tainted 6.0.0-rc7-syzkaller-00068-g49c13ed0316d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
diFree.cold+0x17/0x68 fs/jfs/jfs_imap.c:881
jfs_evict_inode+0x3c1/0x4a0 fs/jfs/inode.c:156
evict+0x2ed/0x6b0 fs/inode.c:665
iput_final fs/inode.c:1748 [inline]
iput.part.0+0x55d/0x810 fs/inode.c:1774
iput+0x58/0x70 fs/inode.c:1764
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
__dentry_kill+0x3c0/0x640 fs/dcache.c:607
shrink_dentry_list+0x23c/0x800 fs/dcache.c:1201
shrink_dcache_parent+0x1fe/0x3c0 fs/dcache.c:1628
do_one_tree fs/dcache.c:1682 [inline]
shrink_dcache_for_umount+0x71/0x330 fs/dcache.c:1699
generic_shutdown_super+0x68/0x400 fs/super.c:473
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:332
deactivate_super+0xad/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xad5/0x29b0 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f72b3c35579
Code: Unable to access opcode bytes at RIP 0x7f72b3c3554f.
RSP: 002b:00007fff12fe7c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f72b3cb8330 RCX: 00007f72b3c35579
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000555556c4c2c0 R11: 0000000000000246 R12: 00007f72b3cb8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 49c13ed0316d Merge tag 'soc-fixes-6.0-rc7' of git://git.ke..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10b106ef080000
kernel config: https://syzkaller.appspot.com/x/.config?x=755695d26ad09807
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c57cb06cb5a53b7b06
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f323ff080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148a2804880000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4c57c...@syzkaller.appspotmail.com
ERROR: (device loop0): xtTruncate_pmap: XT_GETPAGE: xtree page corrupt
ERROR: (device loop0): remounting filesystem as read-only
ERROR: (device loop0): txAbort:
ERROR: (device loop0): xtTruncate: XT_GETPAGE: xtree page corrupt
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_imap.c:881:9
shift exponent 8205 is too large for 64-bit type 'long long unsigned int'
CPU: 0 PID: 3614 Comm: syz-executor393 Not tainted 6.0.0-rc7-syzkaller-00068-g49c13ed0316d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
diFree.cold+0x17/0x68 fs/jfs/jfs_imap.c:881
jfs_evict_inode+0x3c1/0x4a0 fs/jfs/inode.c:156
evict+0x2ed/0x6b0 fs/inode.c:665
iput_final fs/inode.c:1748 [inline]
iput.part.0+0x55d/0x810 fs/inode.c:1774
iput+0x58/0x70 fs/inode.c:1764
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
__dentry_kill+0x3c0/0x640 fs/dcache.c:607
shrink_dentry_list+0x23c/0x800 fs/dcache.c:1201
shrink_dcache_parent+0x1fe/0x3c0 fs/dcache.c:1628
do_one_tree fs/dcache.c:1682 [inline]
shrink_dcache_for_umount+0x71/0x330 fs/dcache.c:1699
generic_shutdown_super+0x68/0x400 fs/super.c:473
kill_block_super+0x97/0xf0 fs/super.c:1427
deactivate_locked_super+0x94/0x160 fs/super.c:332
deactivate_super+0xad/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xad5/0x29b0 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f72b3c35579
Code: Unable to access opcode bytes at RIP 0x7f72b3c3554f.
RSP: 002b:00007fff12fe7c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f72b3cb8330 RCX: 00007f72b3c35579
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000555556c4c2c0 R11: 0000000000000246 R12: 00007f72b3cb8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Oct 4, 2022, 7:03:23 AM10/4/22
to mudongl...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
asset storage also requires dashboard client
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1562229452=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at e2556bc3d
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e2556bc3d5922d083190922a5f66f1db91687492\"
Tested on:
commit: 725737e7 Merge tag 'statx-dioalign-for-linus' of git:/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git --
kernel config: https://syzkaller.appspot.com/x/.config?x=36e3ab6ff9643877
syzbot tried to test the proposed patch but the build/boot failed:
asset storage also requires dashboard client
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1562229452=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at e2556bc3d
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e2556bc3d5922d083190922a5f66f1db91687492 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220928-110033'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e2556bc3d5922d083190922a5f66f1db91687492\"
Tested on:
commit: 725737e7 Merge tag 'statx-dioalign-for-linus' of git:/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git --
kernel config: https://syzkaller.appspot.com/x/.config?x=36e3ab6ff9643877
dashboard link: https://syzkaller.appspot.com/bug?extid=b4c57cb06cb5a53b7b06
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c0e884880000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 17, 2023, 3:00:36 PM5/17/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages