[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtSplitRoot (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 9f16d5e6f220 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=139a59c0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e92fc420ca55fe33
dashboard link: https://syzkaller.appspot.com/bug?extid=99491d74a9931659cf48
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14fcc778580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179a59c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9f905470542/disk-9f16d5e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5b4c9cc530ec/vmlinux-9f16d5e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0f262e4c35e/bzImage-9f16d5e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e27e1a7c25e2/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99491d...@syzkaller.appspotmail.com

... Log Wrap ... Log Wrap ... Log Wrap ...
find_entry called with index >= next_index
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1997:37
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 UID: 0 PID: 5842 Comm: syz-executor268 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
dtSplitRoot+0xc9c/0x1930 fs/jfs/jfs_dtree.c:1997
dtSplitUp fs/jfs/jfs_dtree.c:992 [inline]
dtInsert+0x12cd/0x6c10 fs/jfs/jfs_dtree.c:870
jfs_symlink+0x827/0x10f0 fs/jfs/namei.c:1020
vfs_symlink+0x137/0x2e0 fs/namei.c:4669
do_symlinkat+0x222/0x3a0 fs/namei.c:4695
__do_sys_symlink fs/namei.c:4716 [inline]
__se_sys_symlink fs/namei.c:4714 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4714
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb144f8c6f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc1536c068 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007ffc1536c248 RCX: 00007fb144f8c6f9
RDX: 00007fb144f8b791 RSI: 0000000020000180 RDI: 0000000020000700
RBP: 00007fb145005610 R08: 000000000000620d R09: 0000000000000000
R10: 00007ffc1536bf30 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc1536c238 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Lizhi Xu]

The index of the slot maybe out of bound, add a check for it.

#syz test

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 8f85177f284b..71463ad751c2 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -1994,6 +1994,9 @@ static int dtSplitRoot(tid_t tid,

stbl = DT_GETSTBL(rp);
for (n = 0; n < rp->header.nextindex; n++) {
+ if (stbl[n] >= ARRAY_SIZE(rp->slot))
+ continue;
+
ldtentry = (struct ldtentry *) & rp->slot[stbl[n]];
modify_index(tid, ip, le32_to_cpu(ldtentry->index),
rbn, n, &mp, &lblock);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+99491d...@syzkaller.appspotmail.com
Tested-by: syzbot+99491d...@syzkaller.appspotmail.com

Tested on:

commit: 7af08b57 Merge tag 'trace-v6.13-2' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b489e8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d9390a3931bdb72

dashboard link: https://syzkaller.appspot.com/bug?extid=99491d74a9931659cf48
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=137f8d30580000

Note: testing is done by a robot and is best-effort only.

[Lizhi Xu]

syzbot report a array-index-out-of-bounds in dtSplitRoot. [1]

The second index value of the parent inode of the symbolic link is 4294967168.
When it is assigned to the stbl of type s8, an overflow value of -128 occurs,
which triggers oob.

To avoid this issue, add a check for the index of the slot before using it.

[1]

UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1997:37
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 UID: 0 PID: 5842 Comm: syz-executor268 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
dtSplitRoot+0xc9c/0x1930 fs/jfs/jfs_dtree.c:1997
dtSplitUp fs/jfs/jfs_dtree.c:992 [inline]
dtInsert+0x12cd/0x6c10 fs/jfs/jfs_dtree.c:870
jfs_symlink+0x827/0x10f0 fs/jfs/namei.c:1020
vfs_symlink+0x137/0x2e0 fs/namei.c:4669
do_symlinkat+0x222/0x3a0 fs/namei.c:4695
__do_sys_symlink fs/namei.c:4716 [inline]
__se_sys_symlink fs/namei.c:4714 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4714
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-and-tested-by: syzbot+99491d...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=99491d74a9931659cf48
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/jfs/jfs_dtree.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 8f85177f284b..71463ad751c2 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -1994,6 +1994,9 @@ static int dtSplitRoot(tid_t tid,

stbl = DT_GETSTBL(rp);
for (n = 0; n < rp->header.nextindex; n++) {
+ if (stbl[n] >= ARRAY_SIZE(rp->slot))
+ continue;
+
ldtentry = (struct ldtentry *) & rp->slot[stbl[n]];
modify_index(tid, ip, le32_to_cpu(ldtentry->index),
rbn, n, &mp, &lblock);

--
2.43.0

[Dave Kleikamp]

I'm catching up on some long-ignored emails and have some concerns about
this patch.

On 11/29/24 5:16AM, Lizhi Xu via Jfs-discussion wrote:
> syzbot report a array-index-out-of-bounds in dtSplitRoot. [1]
>
> The second index value of the parent inode of the symbolic link is 4294967168.
> When it is assigned to the stbl of type s8, an overflow value of -128 occurs,
> which triggers oob.

I don't quite understand where this assignment is. Where is the stbl
being assigned 4294967168?

>
> To avoid this issue, add a check for the index of the slot before using it.

This check simply ignores the problem. There is no report and no error
returned. Ideally, this should result in an error and/or the filesystem
being marked dirty.