UBSAN: array-index-out-of-bounds in dbAdjTree
7 views
Skip to first unread message
butt3rflyh4ck
Oct 8, 2020, 1:00:14āÆPM10/8/20
to sha...@kernel.org, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
kernel fuzz.
kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
and can reproduce.
the dmtree_t is that
typedef union dmtree {
struct dmaptree t1;
struct dmapctl t2;
} dmtree_t;
the dmaptree is that
struct dmaptree {
__le32 nleafs; /* 4: number of tree leafs */
__le32 l2nleafs; /* 4: l2 number of tree leafs */
__le32 leafidx; /* 4: index of first tree leaf */
__le32 height; /* 4: height of the tree */
s8 budmin; /* 1: min l2 tree leaf value to combine */
s8 stree[TREESIZE]; /* TREESIZE: tree */
u8 pad[2]; /* 2: pad to word boundary */
};
the TREESIZE is totally 341, but the leafidx type is __le32.
the crash log is asblow:
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2897:19
index 341 is out of range for type 's8 [341]'
CPU: 1 PID: 10535 Comm: syz-executor.3 Not tainted 5.9.0-rc6+ #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
dbAdjTree+0x34c/0x360 fs/jfs/jfs_dmap.c:2897
dbAdjCtl+0x2a3/0x830 fs/jfs/jfs_dmap.c:2556
dbAllocDmap+0xb7/0x110 fs/jfs/jfs_dmap.c:2069
dbAllocNext+0x35b/0x420 fs/jfs/jfs_dmap.c:1212
dbAlloc+0x357/0xb60 fs/jfs/jfs_dmap.c:778
ea_get+0xa54/0x11a0 fs/jfs/xattr.c:514
__jfs_setxattr+0x1b0/0xfa0 fs/jfs/xattr.c:718
__jfs_xattr_set+0xc9/0x150 fs/jfs/xattr.c:917
__vfs_setxattr+0x10e/0x170 fs/xattr.c:177
__vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208
__vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266
vfs_setxattr+0xe5/0x270 fs/xattr.c:283
setxattr+0x23d/0x330 fs/xattr.c:548
path_setxattr+0x170/0x190 fs/xattr.c:567
__do_sys_setxattr fs/xattr.c:582 [inline]
__se_sys_setxattr fs/xattr.c:578 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:578
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4693c9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe67df97c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000739140 RCX: 00000000004693c9
RDX: 00000000200003c0 RSI: 0000000020000100 RDI: 0000000020000140
RBP: 00000000004c291b R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000c1 R11: 0000000000000246 R12: 000000000076cf20
R13: 0000000000000000 R14: 000000000076cf20 R15: 00007ffc7d66ec90
================================================================================
Regard,
butt3rflyh4ck.
kernel fuzz.
kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
and can reproduce.
the dmtree_t is that
typedef union dmtree {
struct dmaptree t1;
struct dmapctl t2;
} dmtree_t;
the dmaptree is that
struct dmaptree {
__le32 nleafs; /* 4: number of tree leafs */
__le32 l2nleafs; /* 4: l2 number of tree leafs */
__le32 leafidx; /* 4: index of first tree leaf */
__le32 height; /* 4: height of the tree */
s8 budmin; /* 1: min l2 tree leaf value to combine */
s8 stree[TREESIZE]; /* TREESIZE: tree */
u8 pad[2]; /* 2: pad to word boundary */
};
the TREESIZE is totally 341, but the leafidx type is __le32.
the crash log is asblow:
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2897:19
index 341 is out of range for type 's8 [341]'
CPU: 1 PID: 10535 Comm: syz-executor.3 Not tainted 5.9.0-rc6+ #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356
dbAdjTree+0x34c/0x360 fs/jfs/jfs_dmap.c:2897
dbAdjCtl+0x2a3/0x830 fs/jfs/jfs_dmap.c:2556
dbAllocDmap+0xb7/0x110 fs/jfs/jfs_dmap.c:2069
dbAllocNext+0x35b/0x420 fs/jfs/jfs_dmap.c:1212
dbAlloc+0x357/0xb60 fs/jfs/jfs_dmap.c:778
ea_get+0xa54/0x11a0 fs/jfs/xattr.c:514
__jfs_setxattr+0x1b0/0xfa0 fs/jfs/xattr.c:718
__jfs_xattr_set+0xc9/0x150 fs/jfs/xattr.c:917
__vfs_setxattr+0x10e/0x170 fs/xattr.c:177
__vfs_setxattr_noperm+0x11a/0x4c0 fs/xattr.c:208
__vfs_setxattr_locked+0x1bf/0x250 fs/xattr.c:266
vfs_setxattr+0xe5/0x270 fs/xattr.c:283
setxattr+0x23d/0x330 fs/xattr.c:548
path_setxattr+0x170/0x190 fs/xattr.c:567
__do_sys_setxattr fs/xattr.c:582 [inline]
__se_sys_setxattr fs/xattr.c:578 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:578
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4693c9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe67df97c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 0000000000739140 RCX: 00000000004693c9
RDX: 00000000200003c0 RSI: 0000000020000100 RDI: 0000000020000140
RBP: 00000000004c291b R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000c1 R11: 0000000000000246 R12: 000000000076cf20
R13: 0000000000000000 R14: 000000000076cf20 R15: 00007ffc7d66ec90
================================================================================
Regard,
butt3rflyh4ck.
Dave Kleikamp
Nov 13, 2020, 4:16:08āÆPM11/13/20
to butt3rflyh4ck, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> kernel fuzz.
>
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
>
> and can reproduce.
>
> the dmtree_t is that
> typedef union dmtree {
> struct dmaptree t1;
> struct dmapctl t2;
> } dmtree_t;
>
> the dmaptree is that
> struct dmaptree {
> __le32 nleafs; /* 4: number of tree leafs */
> __le32 l2nleafs; /* 4: l2 number of tree leafs */
> __le32 leafidx; /* 4: index of first tree leaf */
> __le32 height; /* 4: height of the tree */
> s8 budmin; /* 1: min l2 tree leaf value to combine */
> s8 stree[TREESIZE]; /* TREESIZE: tree */
> u8 pad[2]; /* 2: pad to word boundary */
> };
> the TREESIZE is totally 341, but the leafidx type is __le32.
Does this patch fix the problem?
> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> kernel fuzz.
>
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
>
> and can reproduce.
>
> the dmtree_t is that
> typedef union dmtree {
> struct dmaptree t1;
> struct dmapctl t2;
> } dmtree_t;
>
> the dmaptree is that
> struct dmaptree {
> __le32 nleafs; /* 4: number of tree leafs */
> __le32 l2nleafs; /* 4: l2 number of tree leafs */
> __le32 leafidx; /* 4: index of first tree leaf */
> __le32 height; /* 4: height of the tree */
> s8 budmin; /* 1: min l2 tree leaf value to combine */
> s8 stree[TREESIZE]; /* TREESIZE: tree */
> u8 pad[2]; /* 2: pad to word boundary */
> };
> the TREESIZE is totally 341, but the leafidx type is __le32.
jfs: Fix array index bounds check in dbAdjTree
Bounds checking tools can flag a bug in dbAdjTree() for an array index
out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
both structures dmaptree and dmapctl, use the larger array to eliminate
the false positive.
Signed-off-by: Dave Kleikamp <dave.k...@oracle.com>
---
fs/jfs/jfs_dmap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index 29891fad3f09..aa03a904d5ab 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -183,7 +183,7 @@ typedef union dmtree {
#define dmt_leafidx t1.leafidx
#define dmt_height t1.height
#define dmt_budmin t1.budmin
-#define dmt_stree t1.stree
+#define dmt_stree t2.stree
/*
* on-disk aggregate disk allocation map descriptor.
--
2.29.2
butt3rflyh4ck
Nov 14, 2020, 8:55:50āÆAM11/14/20
to Dave Kleikamp, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
Yes, I have tested the patch, it seem to fix the problem.
Regard,
butt3rflyh4ck.
Regard,
butt3rflyh4ck.
Dave Kleikamp
Nov 14, 2020, 11:17:03āÆAM11/14/20
to butt3rflyh4ck, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
Thanks for reporting and testing this!
Shaggy
Shaggy
butt3rflyh4ck
Nov 20, 2020, 4:50:37āÆAM11/20/20
to Dave Kleikamp, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
You are welcome and have you submitted the patch to linux upstream ?
If you have no time do that and I can do it.
If you have no time do that and I can do it.
butt3rflyh4ck
Nov 20, 2020, 4:52:48āÆAM11/20/20
to Dave Kleikamp, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
You are welcome and have you submitted the patch to linux upstream ?
If you have no time do that and I can do it.
Regard,
If you have no time do that and I can do it.
butt3rflyh4ck.
Dave Kleikamp
Nov 20, 2020, 10:01:36āÆAM11/20/20
to butt3rflyh4ck, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
On 11/20/20 3:52 AM, butt3rflyh4ck wrote:
> You are welcome and have you submitted the patch to linux upstream ?
> If you have no time do that and I can do it.
Yes, it's in linux-next now. I'll push it to upstream in the v5.11 window.
> You are welcome and have you submitted the patch to linux upstream ?
> If you have no time do that and I can do it.
Shaggy
butt3rflyh4ck
Jan 20, 2021, 2:57:47āÆPM1/20/21
to Dave Kleikamp, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkaller-bugs
This was assigned CVE-2020-27815 via redhat.
Regards.
butt3rflyh4ck.
Regards.
butt3rflyh4ck.
Reply all
Reply to author
Forward
0 new messages