2024-05-14 16:22:04

by syzbot

[permalink] [raw]
Subject: [syzbot] [ntfs3?] UBSAN: array-index-out-of-bounds in decompress_lznt

Hello,

syzbot found the following issue on:

HEAD commit: f4345f05c0df Merge tag 'block-6.9-20240510' of git://git.k..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15035598980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7ea7de0cb32587
dashboard link: https://syzkaller.appspot.com/bug?extid=39b2fb0f2638669008ec
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16375db8980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ef17a8980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eab3aead3b47/disk-f4345f05.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/64d327c02024/vmlinux-f4345f05.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0191e269a6fd/bzImage-f4345f05.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/293e623536d7/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/165c0c1a16ff/mount_1.gz

The issue was bisected to:

commit d68968440b1a75dee05cfac7f368f1aa139e1911
Author: Konstantin Komarov <[email protected]>
Date: Mon Jan 29 07:30:09 2024 +0000

fs/ntfs3: Update inode->i_size after success write into compressed file

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13472020980000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10c72020980000
console output: https://syzkaller.appspot.com/x/log.txt?x=17472020980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Fixes: d68968440b1a ("fs/ntfs3: Update inode->i_size after success write into compressed file")

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ntfs3/lznt.c:240:16
index 9 is out of range for type 'const size_t[9]' (aka 'const unsigned long[9]')
CPU: 1 PID: 5072 Comm: syz-executor335 Not tainted 6.9.0-rc7-syzkaller-00136-gf4345f05c0df #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
decompress_chunk fs/ntfs3/lznt.c:240 [inline]
decompress_lznt+0x229/0xd50 fs/ntfs3/lznt.c:387
ni_read_frame+0x1633/0x1c50 fs/ntfs3/frecord.c:2684
ni_readpage_cmpr+0x38b/0xa60 fs/ntfs3/frecord.c:2143
ntfs_read_folio+0x19e/0x210 fs/ntfs3/inode.c:725
filemap_read_folio+0x1a0/0x790 mm/filemap.c:2331
filemap_update_page mm/filemap.c:2415 [inline]
filemap_get_pages+0x15a9/0x2090 mm/filemap.c:2529
filemap_read+0x457/0xfa0 mm/filemap.c:2601
__kernel_read+0x5c8/0xab0 fs/read_write.c:434
integrity_kernel_read+0xb0/0x100 security/integrity/iint.c:28
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:485 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
ima_calc_file_hash+0xadb/0x1b30 security/integrity/ima/ima_crypto.c:573
ima_collect_measurement+0x535/0xa90 security/integrity/ima/ima_api.c:291
process_measurement+0x13ac/0x1f60 security/integrity/ima/ima_main.c:359
ima_file_check+0xf2/0x170 security/integrity/ima/ima_main.c:559
security_file_post_open+0x6d/0xa0 security/security.c:2981
do_open fs/namei.c:3644 [inline]
path_openat+0x28b7/0x3240 fs/namei.c:3799
do_filp_open+0x235/0x490 fs/namei.c:3826
do_sys_openat2+0x13e/0x1d0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_open fs/open.c:1429 [inline]
__se_sys_open fs/open.c:1425 [inline]
__x64_sys_open+0x225/0x270 fs/open.c:1425
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbd0c2059b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa3c72cd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fffa3c72ea8 RCX: 00007fbd0c2059b9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000180
RBP: 00007fbd0c298610 R08: 00007fffa3c72ea8 R09: 00007fffa3c72ea8
R10: 00007fffa3c72ea8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fffa3c72e98 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup


2024-05-15 12:40:43

by Andrew Ballance

[permalink] [raw]
Subject: [PATCH] ntfs3: check if more than chunk-size bytes are written

#syz test

a incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.

Signed-off-by: Andrew Ballance <[email protected]>
---
fs/ntfs3/lznt.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index 4aae598d6d88..fdc9b2ebf341 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,

/* Do decompression until pointers are inside range. */
while (up < unc_end && cmpr < cmpr_end) {
+ // return err if more than LZNT_CHUNK_SIZE bytes are written
+ if (up - unc > LZNT_CHUNK_SIZE)
+ return -EINVAL;
/* Correct index */
while (unc + s_max_off[index] < up)
index += 1;
--
2.45.0


2024-05-15 12:59:10

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [ntfs3?] UBSAN: array-index-out-of-bounds in decompress_lznt

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: [email protected]

Tested on:

commit: 1b294a1f Merge tag 'net-next-6.10' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15998648980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0cd0c5dbf8ea592
dashboard link: https://syzkaller.appspot.com/bug?extid=39b2fb0f2638669008ec
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=115b78f0980000

Note: testing is done by a robot and is best-effort only.