Re: [syzbot] ocfs2: shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

0 views

Skip to first unread message

driz2t

unread,

4:58 AM (7 hours ago) 4:58 AM

to syzbot+f3fff775402751ebb471, syzkaller-bugs

c6104ecfe56e0fd6b616.patch

driz2t

unread,

4:58 AM (7 hours ago) 4:58 AM

to syzbot+f3fff775402751ebb471, syzkaller-bugs

Hi,

Please test this patch on stable 5.15.y.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git 3330a8d33e086f76608bb4e80a3dc569d04a8814

From ae310006fc6e06c233b8d6780b2a2c6a16d6d708 Mon Sep 17 00:00:00 2001
From: Changjian Liu <dri...@qq.com>
Date: Mon, 23 Mar 2026 11:39:19 +0800
Subject: [PATCH] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function, identified by UBSAN. The bug was
triggered by an invalid s_clustersize_bits value (e.g., 1548), which
caused the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the limits of a 32-bit integer, leading to an out-of-bounds
shift.

Instead of shifting by an invalid bit count while reporting the error,
log the raw s_clustersize_bits value directly.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <jose...@linux.alibaba.com>
Signed-off-by: Changjian Liu <dri...@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
--
2.43.0

Thanks,
Changjian Liu

Reply all

Reply to author

Forward

0 new messages