Re: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume
0 views
Skip to first unread message
Greg KH
Mar 24, 2026, 3:46:05 AM (yesterday) Mar 24
to 10163...@qq.com, sta...@vger.kernel.org, ma...@fasheh.com, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+c6104e...@syzkaller.appspotmail.com
On Tue, Mar 24, 2026 at 07:04:58AM +0000, 10163...@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").
This was attached, and could not be applied directly. Please submit the
patch inline.
thanks,
greg k-h
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").
This was attached, and could not be applied directly. Please submit the
patch inline.
thanks,
greg k-h
10163...@qq.com
Mar 24, 2026, 4:27:22 AM (yesterday) Mar 24
to sta...@vger.kernel.org, ma...@fasheh.com, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+c6104e...@syzkaller.appspotmail.com
This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").
This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression
1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)
to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.
Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.
This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.
[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]
Reported-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <jose...@linux.alibaba.com>
Tested-by: syzbot <syzbot+c6104e...@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasd...@gmail.com>
Signed-off-by: Changjian Liu <dri...@qq.com>
10163...@qq.com
Mar 24, 2026, 4:30:54 AM (yesterday) Mar 24
to sta...@vger.kernel.org, ma...@fasheh.com, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+c6104e...@syzkaller.appspotmail.com
---
fs/ocfs2/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
(unsigned long long)bh->b_blocknr);
} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
- mlog(ML_ERROR, "bad cluster size found: %u\n",
- 1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+ mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+ le32_to_cpu(di->id2.i_super.s_clustersize_bits));
} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
mlog(ML_ERROR, "bad root_blkno: 0\n");
} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
--
2.43.0
10163...@qq.com
Mar 24, 2026, 4:51:52 AM (yesterday) Mar 24
to sta...@vger.kernel.org, ma...@fasheh.com, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+c6104e...@syzkaller.appspotmail.com
Reply all
Reply to author
Forward
0 new messages