Re: UBSAN: array-index-out-of-bounds in dbAdjTree

From: Dave Kleikamp
Date: Fri Nov 20 2020 - 10:01:47 EST


On 11/20/20 3:52 AM, butt3rflyh4ck wrote:
> You are welcome and have you submitted the patch to linux upstream ?
> If you have no time do that and I can do it.

Yes, it's in linux-next now. I'll push it to upstream in the v5.11 window.

Shaggy

>
> Regard,
> butt3rflyh4ck.
>
> On Sun, Nov 15, 2020 at 12:17 AM Dave Kleikamp <dave.kleikamp@xxxxxxxxxx> wrote:
>>
>> Thanks for reporting and testing this!
>>
>> Shaggy
>>
>> On 11/14/20 7:55 AM, butt3rflyh4ck wrote:
>>> Yes, I have tested the patch, it seem to fix the problem.
>>>
>>> Regard,
>>> butt3rflyh4ck.
>>>
>>> On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp <dave.kleikamp@xxxxxxxxxx> wrote:
>>>>
>>>> On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
>>>>> I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
>>>>> kernel fuzz.
>>>>>
>>>>> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
>>>>>
>>>>> and can reproduce.
>>>>>
>>>>> the dmtree_t is that
>>>>> typedef union dmtree {
>>>>> struct dmaptree t1;
>>>>> struct dmapctl t2;
>>>>> } dmtree_t;
>>>>>
>>>>> the dmaptree is that
>>>>> struct dmaptree {
>>>>> __le32 nleafs; /* 4: number of tree leafs */
>>>>> __le32 l2nleafs; /* 4: l2 number of tree leafs */
>>>>> __le32 leafidx; /* 4: index of first tree leaf */
>>>>> __le32 height; /* 4: height of the tree */
>>>>> s8 budmin; /* 1: min l2 tree leaf value to combine */
>>>>> s8 stree[TREESIZE]; /* TREESIZE: tree */
>>>>> u8 pad[2]; /* 2: pad to word boundary */
>>>>> };
>>>>> the TREESIZE is totally 341, but the leafidx type is __le32.
>>>>
>>>> Does this patch fix the problem?
>>>>
>>>> jfs: Fix array index bounds check in dbAdjTree
>>>>
>>>> Bounds checking tools can flag a bug in dbAdjTree() for an array index
>>>> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
>>>> both structures dmaptree and dmapctl, use the larger array to eliminate
>>>> the false positive.
>>>>
>>>> Signed-off-by: Dave Kleikamp <dave.kleikamp@xxxxxxxxxx>
>>>> ---
>>>> fs/jfs/jfs_dmap.h | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
>>>> index 29891fad3f09..aa03a904d5ab 100644
>>>> --- a/fs/jfs/jfs_dmap.h
>>>> +++ b/fs/jfs/jfs_dmap.h
>>>> @@ -183,7 +183,7 @@ typedef union dmtree {
>>>> #define dmt_leafidx t1.leafidx
>>>> #define dmt_height t1.height
>>>> #define dmt_budmin t1.budmin
>>>> -#define dmt_stree t1.stree
>>>> +#define dmt_stree t2.stree
>>>>
>>>> /*
>>>> * on-disk aggregate disk allocation map descriptor.
>>>> --
>>>> 2.29.2
>>>>