Re: Question about KUBSAN

7 views
Skip to first unread message

Dmitry Vyukov

unread,
Sep 29, 2022, 4:47:31 AMSep 29
to Dongliang Mu, syzkaller, syzbot+79d792...@syzkaller.appspotmail.com
+syzkaller mailing list for more humans

On Thu, 29 Sept 2022 at 03:31, Dongliang Mu <mudongl...@gmail.com> wrote:
>
> Hi Dmitry,
>
> When I checked the crash reports [1] and [2], both reports should be
> manifested by the same bug - the missing check of bmp->db_agl2size.
> However, in the 2nd report, agno is computed by shifting db_agl2size.
> KUBSAN misses the shift-out-of-bounds at BLKTOAG, and triggers
> index-out-of-bounds at db_active[ago]. Any idea here?
>
> #define BLKTOAG(b,sbi) ((b) >> ((sbi)->bmap->db_agl2size))
>
> /* get the ag number of this iag */
> agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
>
> if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {
>
>
> [1] UBSAN: shift-out-of-bounds in dbAllocAG
> https://syzkaller.appspot.com/bug?id=b476816c6906bbdea0d14cbaf2848a905604ffc6
> [2] UBSAN: array-index-out-of-bounds in diAlloc
> https://syzkaller.appspot.com/bug?id=c786a9e39a6743303841a335f4a0b008ab97e8ea
> [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/jfs/jfs_imap.c?id=a1375562c0a87f0fa2eaf3e8ce15824696d4170a#n1359
>
>
>
>
> --
> My best regards to you.
>
> No System Is Safe!
> Dongliang Mu

Dmitry Vyukov

unread,
Sep 29, 2022, 5:06:56 AMSep 29
to Dongliang Mu, syzkaller, syzbot+79d792...@syzkaller.appspotmail.com
Hi Dongliang,

You mean that it's possible to get agno value that leads to an
out-of-bounds access only if there was an out-of-bounds shift before?
Can you give more details? It looks strange because out-of-bounds
shifts generally produce the same values that are possible to get with
correct shifts.
Reply all
Reply to author
Forward
0 new messages