UBSAN: array-index-out-of-bounds in f2fs_iget

From: Sanan Hasanov
Date: Thu Feb 16 2023 - 16:45:01 EST

Next message: Sanan Hasanov: "WARNING in udf_truncate_extents"
Previous message: Sanan Hasanov: "general protection fault in blkg_destroy_all"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.2.0-rc7-next-20230206
Kernel config: https://drive.google.com/file/d/16AAzfA1DqiaTS8ohH7X80kud8QTCKBB6/view?usp=share_link
C Reproducer: https://drive.google.com/file/d/1mWS9BHAKuQcf9R1BiMX17-h9GQ9OI_v9/view?usp=share_link

Thank you!

Best regards,
Sanan Hasanov

================================================================================
UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3272:29
index 1409 is out of range for type '__le32 [923]'
CPU: 6 PID: 27613 Comm: syz-executor.5 Not tainted 6.2.0-rc7-next-20230206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
inline_data_addr fs/f2fs/f2fs.h:3272 [inline]
__recover_inline_status fs/f2fs/inode.c:111 [inline]
do_read_inode fs/f2fs/inode.c:418 [inline]
f2fs_iget+0x5300/0x5620 fs/f2fs/inode.c:536
f2fs_fill_super+0x3c09/0x8a10 fs/f2fs/super.c:4363
mount_bdev+0x351/0x410 fs/super.c:1372
legacy_get_tree+0x109/0x220 fs/fs_context.c:610
vfs_get_tree+0x8d/0x350 fs/super.c:1502
do_new_mount fs/namespace.c:3042 [inline]
path_mount+0x675/0x1e30 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3571
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7c3449176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c35569a08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f7c3449176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f7c35569a60
RBP: 00007f7c35569aa0 R08: 00007f7c35569aa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f7c35569a60 R15: 0000000020011c40
</TASK>
================================================================================
F2FS-fs (loop5): sanity_check_inode: inode (ino=3) is with extra_attr, but extra_attr feature is off
F2FS-fs (loop5): Failed to read root inode

Next message: Sanan Hasanov: "WARNING in udf_truncate_extents"
Previous message: Sanan Hasanov: "general protection fault in blkg_destroy_all"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]