[v5.15] UBSAN: array-index-out-of-bounds in dtSplitRoot
2 views
Skip to first unread message
syzbot
Jan 18, 2025, 11:29:26 AM1/18/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11fda2b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=caf0c22a63c5c861
dashboard link: https://syzkaller.appspot.com/bug?extid=bd7784506b11a06dd129
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd7784...@syzkaller.appspotmail.com
find_entry called with index >= next_index
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 PID: 6509 Comm: syz.5.314 Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dtSplitRoot+0x998/0x1440 fs/jfs/jfs_dtree.c:1995
dtSplitUp fs/jfs/jfs_dtree.c:990 [inline]
dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868
jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019
vfs_symlink+0x244/0x3a8 fs/namei.c:4429
do_symlinkat+0x364/0x6b0 fs/namei.c:4458
__do_sys_symlinkat fs/namei.c:4475 [inline]
__se_sys_symlinkat fs/namei.c:4472 [inline]
__arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
================================================================================
find_entry called with index >= next_index
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11fda2b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=caf0c22a63c5c861
dashboard link: https://syzkaller.appspot.com/bug?extid=bd7784506b11a06dd129
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd7784...@syzkaller.appspotmail.com
find_entry called with index >= next_index
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 PID: 6509 Comm: syz.5.314 Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dtSplitRoot+0x998/0x1440 fs/jfs/jfs_dtree.c:1995
dtSplitUp fs/jfs/jfs_dtree.c:990 [inline]
dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868
jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019
vfs_symlink+0x244/0x3a8 fs/namei.c:4429
do_symlinkat+0x364/0x6b0 fs/namei.c:4458
__do_sys_symlinkat fs/namei.c:4475 [inline]
__se_sys_symlinkat fs/namei.c:4472 [inline]
__arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
================================================================================
find_entry called with index >= next_index
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 18, 2025, 12:26:25 PM1/18/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17eba2b0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104619df980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/54f4c3fb9ecd/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/00127a9454a9/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd7784...@syzkaller.appspotmail.com
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=caf0c22a63c5c861
dashboard link: https://syzkaller.appspot.com/bug?extid=bd7784506b11a06dd129
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1007dfc4580000
dashboard link: https://syzkaller.appspot.com/bug?extid=bd7784506b11a06dd129
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104619df980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/00127a9454a9/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bd7784...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
find_entry called with index >= next_index
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37
index -128 is out of range for type 'struct dtslot[128]'
CPU: 0 PID: 4115 Comm: syz-executor758 Not tainted 5.15.176-syzkaller #0
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37
index -128 is out of range for type 'struct dtslot[128]'
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages