Re: Bug: slab-out-of-bounds Write in __bh_read

[Andrew Price]

On 13/01/2025 15:54, Kun Hu wrote:
> > 32generated_program.c memory maps the filesystem image, mounts it, and
> > then modifies it through the memory map. It's those modifications that
> > cause gfs2 to crash, so the test case is invalid.
> >
> > Is disabling CONFIG_BLK_DEV_WRITE_MOUNTED supposed to prevent that? If
> > so, then it doesn't seem to be working.
> >
> > Thanks,
> > Andreas
>
>
> >   We have reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled to obtain the same crash log. The new crash log, along with C and Syzlang reproducers are provided below:
>
> > Crash log: https://drive.google.com/file/d/1FiCgo05oPheAt4sDQzRYTQwl0-CY6rvi/view?usp=sharing
> > C reproducer: https://drive.google.com/file/d/1TTR9cquaJcMYER6vtYUGh3gOn_mROME4/view?usp=sharing
> > Syzlang reproducer: https://drive.google.com/file/d/1R9QDUP2r7MI4kYMiT_yn-tzm6NqmcEW-/view?usp=sharing
>
> Hi Andreas,
>
> As per Jan's suggestion, we’ve successfully reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled. Should you require us to test this issue again, we are happy to do so.
FWIW the reproducer boils down to

  #include <fcntl.h>
  #include <unistd.h>
  #include <sys/ioctl.h>
  #include <linux/fs.h>

  /*
     mkfs.gfs2 -b 2048 -p lock_nolock $DEV
     mount $DEV $MNT
     cd $MNT
     /path/to/this_test
   */
  int main(void)
  {
          unsigned flag = FS_JOURNAL_DATA_FL;
          char buf[4102] = {0};
          int fd;

          /* Error checking omitted for clarity */
          fd = open("f", O_CREAT|O_RDWR);
          write(fd, buf, sizeof(buf));
          ioctl(fd, FS_IOC_SETFLAGS, &flag);
          write(fd, buf, sizeof(buf)); /* boom */
          close(fd);
          return 0;
  }

So it's switching the file to journaled data mode between two writes.

The size of the writes seems to be relevant and the fs needs to be 
created with a 2K block size (I'm guessing it could reproduce with other 
combinations).

Andy