LinuxLists.cc - [Linux kernel bug] UBSAN: array-index-out-of-bounds in diFree

2024-04-11 08:43:00

Subject: [Linux kernel bug] UBSAN: array-index-out-of-bounds in diFree

Dear developers and maintainers,

We encountered an array-index-out-of-bounds bug while using our
modified Syzkaller. It is tested against the latest upstream linux
(6.9-rc3, commit e8c39d0f57f358950356a8e44ee5159f57f86ec5). Kernel
config and C repro are attached to this email. The UBSAN report is
listed below.
```
================================================================================
UBSAN: array-index-out-of-bounds in
/home/sy/linux-original/fs/jfs/jfs_imap.c:886:2
index 33554432 is out of range for type 'mutex [128]'
CPU: 0 PID: 116 Comm: jfsCommit Not tainted 6.7.0-rc7 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
diFree+0x2158/0x26e0 fs/jfs/jfs_imap.c:886
jfs_evict_inode+0x3d4/0x4b0 fs/jfs/inode.c:156
evict+0x2ed/0x6b0 fs/inode.c:666
iput_final fs/inode.c:1777 [inline]
iput.part.0+0x511/0x720 fs/inode.c:1803
iput+0x5c/0x80 fs/inode.c:1793
txUpdateMap+0xaae/0xcd0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x5d4/0xb10 fs/jfs/jfs_txnmgr.c:2732
kthread+0x2cc/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 0 PID: 116 Comm: jfsCommit Not tainted 6.7.0-rc7 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
panic+0x6b9/0x760 kernel/panic.c:344
check_panic_on_warn+0xb1/0xc0 kernel/panic.c:237
ubsan_epilogue lib/ubsan.c:223 [inline]
__ubsan_handle_out_of_bounds+0xfd/0x130 lib/ubsan.c:348
diFree+0x2158/0x26e0 fs/jfs/jfs_imap.c:886
jfs_evict_inode+0x3d4/0x4b0 fs/jfs/inode.c:156
evict+0x2ed/0x6b0 fs/inode.c:666
iput_final fs/inode.c:1777 [inline]
iput.part.0+0x511/0x720 fs/inode.c:1803
iput+0x5c/0x80 fs/inode.c:1793
txUpdateMap+0xaae/0xcd0 fs/jfs/jfs_txnmgr.c:2367
txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
jfs_lazycommit+0x5d4/0xb10 fs/jfs/jfs_txnmgr.c:2732
kthread+0x2cc/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>
```
If you have any questions, please contact us.
Reported by: Yue Sun <[email protected]>
Reported by: xingwei lee <[email protected]>

Best Regards,
Yue

Attachments:

diFree.c (123.58 kB)
config (242.11 kB)
Download all attachments