Re: UBSAN: array-index-out-of-bounds in dbAdjTree
From: butt3rflyh4ck
Date: Sat Nov 14 2020 - 08:56:15 EST
Yes, I have tested the patch, it seem to fix the problem.
Regard,
butt3rflyh4ck.
On Sat, Nov 14, 2020 at 5:16 AM Dave Kleikamp <dave.kleikamp@xxxxxxxxxx> wrote:
>
> On 10/8/20 12:00 PM, butt3rflyh4ck wrote:
> > I report a array-index-out-of-bounds bug (in linux-5.9.0-rc6) found by
> > kernel fuzz.
> >
> > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.9.0-rc6-config
> >
> > and can reproduce.
> >
> > the dmtree_t is that
> > typedef union dmtree {
> > struct dmaptree t1;
> > struct dmapctl t2;
> > } dmtree_t;
> >
> > the dmaptree is that
> > struct dmaptree {
> > __le32 nleafs; /* 4: number of tree leafs */
> > __le32 l2nleafs; /* 4: l2 number of tree leafs */
> > __le32 leafidx; /* 4: index of first tree leaf */
> > __le32 height; /* 4: height of the tree */
> > s8 budmin; /* 1: min l2 tree leaf value to combine */
> > s8 stree[TREESIZE]; /* TREESIZE: tree */
> > u8 pad[2]; /* 2: pad to word boundary */
> > };
> > the TREESIZE is totally 341, but the leafidx type is __le32.
>
> Does this patch fix the problem?
>
> jfs: Fix array index bounds check in dbAdjTree
>
> Bounds checking tools can flag a bug in dbAdjTree() for an array index
> out of bounds in dmt_stree. Since dmt_stree can refer to the stree in
> both structures dmaptree and dmapctl, use the larger array to eliminate
> the false positive.
>
> Signed-off-by: Dave Kleikamp <dave.kleikamp@xxxxxxxxxx>
> ---
> fs/jfs/jfs_dmap.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
> index 29891fad3f09..aa03a904d5ab 100644
> --- a/fs/jfs/jfs_dmap.h
> +++ b/fs/jfs/jfs_dmap.h
> @@ -183,7 +183,7 @@ typedef union dmtree {
> #define dmt_leafidx t1.leafidx
> #define dmt_height t1.height
> #define dmt_budmin t1.budmin
> -#define dmt_stree t1.stree
> +#define dmt_stree t2.stree
>
> /*
> * on-disk aggregate disk allocation map descriptor.
> --
> 2.29.2
>