Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1331270pxb; Fri, 20 Nov 2020 07:05:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJwUNLUMyT/CAC7sm/vM7hWUs6BLb3vBbMJvMKKW+A5XnPt2IDbPgaSdI391GRtwea+BMpfq X-Received: by 2002:a05:6402:150d:: with SMTP id f13mr34801826edw.119.1605884738738; Fri, 20 Nov 2020 07:05:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605884738; cv=none; d=google.com; s=arc-20160816; b=D3ycC/20X+GO/dp38/k7ae22d+E3YimLmfNtSyhle9Zrq5MB6w+N1unNeVnfjxLrRS Iw4Ph5r9cgCnUZtgiFw3Jg9rjFhDldDgsPvjCAlzWUSXSBnnsKpfGrHit2C4FACY1kfJ Krm28LOvyB74Krdcu3wMO1X7C5vnccAtNBL8ZRVujcQbMlRU+cWpG5B6tAsOw62c9B1/ o9iGq9jTsmk6LB1V79SkqPuUohkT1PmTnFZDaP4+67pEbALCeZ3gubKZwVytcwJUX+Zn K9NcGIEb24UBtLajShq7npuGUEpmY5IcrkF2/EiH7NknT5BECbDsXhLnVZTO137Gual/ QJ1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject:dkim-signature; bh=QwpstCPsXlBXDe+rIaz9sOJvfwScNHisu2+dNaCkmRo=; b=TeqdG1iRfnycmb8AZueF9ibe7j59c+ZXijnAwyQj7dC2My7fjkW/uQdcKexyR2AArF TPITrA7cAPSQDE2pCExJIYhM0iKQVMrGYct5AzGHaZUlgdA8htlO3fseSCLDNLgHRuac naEo0hruRrGjiDwJRsOuR+ZCSyQjhc38jb2i9d/5xJJle1N8at6vHqzbbB+HZ7S3H5Vq nrDTFnq924yoR6nZtFj2jiq5SphLL3D938TvELd4Kz0SqETp3GuiSTP2pHiqJw93IoE3 72f0l0j89SWJe1hJFxnfXwKA0BU5moJ8UvqzxsghOkbe0X7YN68hcjclrUb4jvP5e6Ic Y6QA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=M1xNjVT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d4si1869622ejd.492.2020.11.20.07.05.03; Fri, 20 Nov 2020 07:05:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=M1xNjVT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728220AbgKTPBp (ORCPT + 99 others); Fri, 20 Nov 2020 10:01:45 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:40118 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728176AbgKTPBp (ORCPT ); Fri, 20 Nov 2020 10:01:45 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0AKF0JOP124812; Fri, 20 Nov 2020 15:01:31 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2020-01-29; bh=QwpstCPsXlBXDe+rIaz9sOJvfwScNHisu2+dNaCkmRo=; b=M1xNjVT5k1R0N53zhuDAJg6EKpR8wM+JIeDx0Z/Wifp8ePGv7TL4mIORGIiQsh+4H64b 7RIuU1QQPK8n35DgkTnx5gU4RfiduhtIntSWZMWlDfYyDYDSnrpQCwXvDqOxlHBMyEQG +b6l3/lLtNn+pHuFSu0xEWLfqQqGGr70l5K5fz3RfFM5jxLr7FxqnO5wd3ue7IPUf2hb 6hfBQkhVe/YCrKyxkLjJXlMRShYS9FbkuGlsNGpryk4RYKVbif+cih2ElGR66P72dRQ6 iKdyYSd7Tr2uenqHN7T0pjLAqOg4lPJMI9gUcDgYGyyFQUbJlxUALIuu7xnQQP7NybSO xA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2120.oracle.com with ESMTP id 34t76mb2k8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 20 Nov 2020 15:01:31 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0AKEtksW036552; Fri, 20 Nov 2020 14:59:31 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserp3030.oracle.com with ESMTP id 34uspxr969-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 20 Nov 2020 14:59:31 +0000 Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 0AKExUl3014078; Fri, 20 Nov 2020 14:59:30 GMT Received: from [192.168.0.190] (/68.201.65.98) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 20 Nov 2020 06:59:30 -0800 Subject: Re: UBSAN: array-index-out-of-bounds in dbAdjTree To: butt3rflyh4ck Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, syzkaller-bugs References: <298485e2-01de-048d-5515-44ac254167e4@oracle.com> From: Dave Kleikamp Autocrypt: addr=dave.kleikamp@oracle.com; prefer-encrypt=mutual; keydata= mQINBE7VCEMBEAC3kywrdIxxL/I9maTCxaWTBiHZFNhT5K8QZGLUfW3uFrW89PdAtloSEc1W ScC9O+D2Ygqwx46ZVA7qMXHxpNQ6IZp8he88gQ9lilWD8OJ/T3OKyT6ITdkmsgv6G08QdGCP 0+mCpETv79kcj+Z4pzKLN5QyKW40R3LGcJ6a+0AG5As5/ZkmhceSffdSyDS6zKff3c6cgfQH zl+ugygdKItr3UGIfxuzF3b9uYicsVStwIxyuyzY8i1yYYnnXZtWkI9ZwxT+00PqjCvfVioy xswoscukLQntlkfd4gwM8t56RIxqEo4iNmFwmBYHlSd7C+8SrvPAOgvOtr1vjzJhEsJ2uJNW O2pgZc8xMxe8vhyZK1Nih67hbtzSIpFij06zHwAt4AY3sCbWslOExb8JboINWhI89QcgNmMK uwLHag3D/zZQXQIBvC5H27T49NA6scA92j2qFO6Beks3n/HW6TJni/S9sUXRghRiGDdc/pFr 20R3ivRzKyYBoSWl/3Syo0JcWdEpqq6ti/5MTRFZ+HQjwgUGZ5w+Xu2ttq/q9MyjD4odfKuF WoXk3bF+9LozDNkRi+JxCNT9+D4lsm3kdFTUXHf/qU/iHTPjwYZd6UQeCHJPN6fpjiXolF+u qIwOed8g8nXEXKGafIl3zsAzXBeXKZwECi9VPOxT4vrGHnlTHwARAQABtDZEYXZpZCBLbGVp a2FtcCAoQUtBIFNoYWdneSkgPGRhdmUua2xlaWthbXBAb3JhY2xlLmNvbT6JAjgEEwECACIF Ak7VCEMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDaohF61QIxkpSsP/3DtjVT0 4vPPB7WWGWapnIb8INUvMJX84y4jziAk9dSESdPavYguES9KLOTXmAGIVwuZj5UtUNie4Q3V fZp7Mc7Lb3sf9r2fIlVJXVhQwMFjPYkPLbQBAtHlnt8TClkF2te47tVWuDqI4R0pwACKhUht lQRXpJy7/8pHdNfHyBLOqw6ica8R+On9KkcEJCE+e8XiveAC+2+YcZyRwrj0dTfWEQI6CNwW kax4AtXo/+NigwdU0OXopLDpyro7wIVt3gWLPV99Bo387PPyeWUSZOH6kHIXyYky51zzoZF3 1XuX3UvObx7i/f3uH0jd3O/0/h2iHB9QxmykJBG7AJcF5KiunAL+91a0bqr9IHiffDo0oAme 9JFKOrkcODnnWuHABB6U4pT2JQRF199/Vt4qR+kvuo+xy0eO+0CHEhQWfyFyxz8nQJlizq9p jnzaWe8tAbJz2WqB2CNBhLI7Qn8cAEM66v2aRCnJZ4Uty7HRDnIbQ0ixUxLNIAWM8N4C6w2I RxLfIfNqTTqEcz2m2fg8wSiNuFh17HfzFM/ltXs4wJ610IhwXuPPsA2V/j2pT8GDhn/rMAGN IbO8iEbDO+gKpN47r+OVjxq3fWbRc2ouqRN+fHgvLYt1xcZnPD/sGyLJpMdSHlpCpgKr3ijA y16pnepPaVCTY1FTvNCkZ6hmGvuDuQINBE7VCEMBEADEsrKHN4cTmb0Lz4//ah9WMCvZXWD3 2EWhMh+Pqr+yin7Ga77K5FtgirKjYOtymXeMw640cqp6DaIo+N6KPWM2bsos12nIfN9BWisb XhPMmYZtoYALMjn3CYvE01N+Ym/SDFsfjAu3WtbefEC/Hjw2hlCfPMotU1wkfGEgapkFcGsG MxDjdZN7dSkBH1dKkG3Cx7Cni8qn0Q3oJzSfR6H2KZZZWiJGV70WKWE01yQCYLHfbPMQKS1u qTEaCND/iDjZvbungBUR1kg43CpbzpWlY28AuZrNmGpar4h5YwbiJO2fR7WgiDYmXqxQ8DXY uxndrmTOQqj8EizkOifINWQvouMaasKLIK+U38YCG5stImSmKfjBxrICgXITp/YS4/i1yR3r HthdQ5hZVfCDxKjR8knv+6A37588mYE6DTBpFh9To4baNo3N4ikkg4+bAcO/5v3QiFsCdh3H hR9zlBgy2jOUFYSdSxhXx2y0NUxQSUOpw59sqgBFmgTi2FscchgBraujpu7JE8TdOdSMPSNG Dqx8G5a1g3Ot6+HxgQM8LsZ5qq3BGUDB0DLHtMVu3r9x2327QSp/q2CgwPn2XzelQ0yNolAt 6wjbQwZXTGIGQGlpAFk7UOED/je8ANKYCkE0ZdqQigyoQFEZtyjYxzIzJRWLl4lJjhBSar1v TiSreQARAQABiQIfBBgBAgAJBQJO1QhDAhsMAAoJEDaohF61QIxk/DsP/RjCZHGEsiX0uHxu JzPglNp9mjgG5dGmgYn0ERSat4bcTQV5iJN2Qcn1hP5fJxKg55T8+cFYhFJ1dSvyBVvatee7 /A2IcNAIBBTYCPYcBC771KAU/JOokYu2lkrGM2SXq4XxpfDzohOS3LDGif47TYpEKWbP4AHq vcIl9CYvnhnbV+B/SxqhH7iYB6q2bqY6ki7fsk2lK65FFhlkkgsKyeOiuaVNEv3tmPCMAY/v oMAsCTLK63Wsd9pUY2SGt2ACIy7pTq+k1b09cqlTM2vux8/R0HNzQBXNcFiKKz+JNVObP30N /hsLs0+Ko9f/2OcixfkGjdih8I+FnRdS6wAO7k6g+tTBOj/sbSbH+eZbxWwANkiFkykOASGA /4RzIDie72NiM8lKzpyrlaruSFxuj9/wZuCT7jaYIaiOMPy7Y0Lpisy/hRhwDCNlKU6Hcr7k hQ1cIx4CB40fwqjbK61tWrqZR47pDKShl5DBRdeX/1a+WHXzDLVE4sfax5xL2wjiCUfEyH7x 9YJoKXbnOlKuzjsm9lZIwVwqw07Qi1uFmzJopHW0H3P6zUlujM0buDmaio+Q8znJchizOrQ3 58pn7BNKx3mmswoyZlDtukab9QGF7BZBMjwmafn1RuEVGdlSB52F8TShLgKUM+0dkFmI2yf/ rnNNL3zBkwD3nWcTxFnX Message-ID: <225bea89-73ed-5227-3ca1-d74fc86e986f@oracle.com> Date: Fri, 20 Nov 2020 08:59:29 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9810 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 mlxscore=0 bulkscore=0 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011200103 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9810 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 phishscore=0 adultscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 mlxlogscore=999 malwarescore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011200103 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/20/20 3:52 AM, butt3rflyh4ck wrote: > You are welcome and have you submitted the patch to linux upstream ? > If you have no time do that and I can do it. Yes, it's in linux-next now. I'll push it to upstream in the v5.11 window. Shaggy > > Regard, > butt3rflyh4ck. > > On Sun, Nov 15, 2020 at 12:17 AM Dave Kleikamp wrote: >> >> Thanks for reporting and testing this! >> >> Shaggy >> >> On 11/14/20 7:55 AM, butt3rflyh4ck wrote: >>> Yes, I have tested the patch, it seem to fix the problem. >>> >>> Regard, >>> butt3rflyh4ck. >>> >>> On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp wrote: >>>> >>>> On 10/8/20 12:00 PM, butt3rflyh4ck wrote: >>>>> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by >>>>> kernel fuzz. >>>>> >>>>> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config >>>>> >>>>> and can reproduce. >>>>> >>>>> the dmtree_t is that >>>>> typedef union dmtree { >>>>> struct dmaptree t1; >>>>> struct dmapctl t2; >>>>> } dmtree_t; >>>>> >>>>> the dmaptree is that >>>>> struct dmaptree { >>>>> __le32 nleafs; /* 4: number of tree leafs */ >>>>> __le32 l2nleafs; /* 4: l2 number of tree leafs */ >>>>> __le32 leafidx; /* 4: index of first tree leaf */ >>>>> __le32 height; /* 4: height of the tree */ >>>>> s8 budmin; /* 1: min l2 tree leaf value to combine */ >>>>> s8 stree[TREESIZE]; /* TREESIZE: tree */ >>>>> u8 pad[2]; /* 2: pad to word boundary */ >>>>> }; >>>>> the TREESIZE is totally 341, but the leafidx type is __le32. >>>> >>>> Does this patch fix the problem? >>>> >>>> jfs: Fix array index bounds check in dbAdjTree >>>> >>>> Bounds checking tools can flag a bug in dbAdjTree() for an array index >>>> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in >>>> both structures dmaptree and dmapctl, use the larger array to eliminate >>>> the false positive. >>>> >>>> Signed-off-by: Dave Kleikamp >>>> --- >>>> fs/jfs/jfs_dmap.h | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h >>>> index 29891fad3f09..aa03a904d5ab 100644 >>>> --- a/fs/jfs/jfs_dmap.h >>>> +++ b/fs/jfs/jfs_dmap.h >>>> @@ -183,7 +183,7 @@ typedef union dmtree { >>>> #define dmt_leafidx t1.leafidx >>>> #define dmt_height t1.height >>>> #define dmt_budmin t1.budmin >>>> -#define dmt_stree t1.stree >>>> +#define dmt_stree t2.stree >>>> >>>> /* >>>> * on-disk aggregate disk allocation map descriptor. >>>> -- >>>> 2.29.2 >>>>