From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Dmitry Antipov <dmantipov@yandex.ru>,
syzbot+56f7cd1abe4b8e475180@syzkaller.appspotmail.com,
Joseph Qi <joseph.qi@linux.alibaba.com>,
Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
Junxiao Bi <junxiao.bi@oracle.com>,
Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.1 28/73] ocfs2: fix UBSAN warning in ocfs2_verify_volume()
Date: Wed, 20 Nov 2024 13:58:14 +0100 [thread overview]
Message-ID: <20241120125810.285065673@linuxfoundation.org> (raw)
In-Reply-To: <20241120125809.623237564@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
commit 23aab037106d46e6168ce1214a958ce9bf317f2e upstream.
Syzbot has reported the following splat triggered by UBSAN:
UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10
shift exponent 32768 is too large for 32-bit type 'int'
CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x241/0x360
? __pfx_dump_stack_lvl+0x10/0x10
? __pfx__printk+0x10/0x10
? __asan_memset+0x23/0x50
? lockdep_init_map_type+0xa1/0x910
__ubsan_handle_shift_out_of_bounds+0x3c8/0x420
ocfs2_fill_super+0xf9c/0x5750
? __pfx_ocfs2_fill_super+0x10/0x10
? __pfx_validate_chain+0x10/0x10
? __pfx_validate_chain+0x10/0x10
? validate_chain+0x11e/0x5920
? __lock_acquire+0x1384/0x2050
? __pfx_validate_chain+0x10/0x10
? string+0x26a/0x2b0
? widen_string+0x3a/0x310
? string+0x26a/0x2b0
? bdev_name+0x2b1/0x3c0
? pointer+0x703/0x1210
? __pfx_pointer+0x10/0x10
? __pfx_format_decode+0x10/0x10
? __lock_acquire+0x1384/0x2050
? vsnprintf+0x1ccd/0x1da0
? snprintf+0xda/0x120
? __pfx_lock_release+0x10/0x10
? do_raw_spin_lock+0x14f/0x370
? __pfx_snprintf+0x10/0x10
? set_blocksize+0x1f9/0x360
? sb_set_blocksize+0x98/0xf0
? setup_bdev_super+0x4e6/0x5d0
mount_bdev+0x20c/0x2d0
? __pfx_ocfs2_fill_super+0x10/0x10
? __pfx_mount_bdev+0x10/0x10
? vfs_parse_fs_string+0x190/0x230
? __pfx_vfs_parse_fs_string+0x10/0x10
legacy_get_tree+0xf0/0x190
? __pfx_ocfs2_mount+0x10/0x10
vfs_get_tree+0x92/0x2b0
do_new_mount+0x2be/0xb40
? __pfx_do_new_mount+0x10/0x10
__se_sys_mount+0x2d6/0x3c0
? __pfx___se_sys_mount+0x10/0x10
? do_syscall_64+0x100/0x230
? __x64_sys_mount+0x20/0xc0
do_syscall_64+0xf3/0x230
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f37cae96fda
Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda
RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240
RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000
R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0
R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000
</TASK>
For a really damaged superblock, the value of 'i_super.s_blocksize_bits'
may exceed the maximum possible shift for an underlying 'int'. So add an
extra check whether the aforementioned field represents the valid block
size, which is 512 bytes, 1K, 2K, or 4K.
Link: https://lkml.kernel.org/r/20241106092100.2661330-1-dmantipov@yandex.ru
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+56f7cd1abe4b8e475180@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/super.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2321,6 +2321,7 @@ static int ocfs2_verify_volume(struct oc
struct ocfs2_blockcheck_stats *stats)
{
int status = -EAGAIN;
+ u32 blksz_bits;
if (memcmp(di->i_signature, OCFS2_SUPER_BLOCK_SIGNATURE,
strlen(OCFS2_SUPER_BLOCK_SIGNATURE)) == 0) {
@@ -2335,11 +2336,15 @@ static int ocfs2_verify_volume(struct oc
goto out;
}
status = -EINVAL;
- if ((1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits)) != blksz) {
+ /* Acceptable block sizes are 512 bytes, 1K, 2K and 4K. */
+ blksz_bits = le32_to_cpu(di->id2.i_super.s_blocksize_bits);
+ if (blksz_bits < 9 || blksz_bits > 12) {
mlog(ML_ERROR, "found superblock with incorrect block "
- "size: found %u, should be %u\n",
- 1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits),
- blksz);
+ "size bits: found %u, should be 9, 10, 11, or 12\n",
+ blksz_bits);
+ } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) {
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size: found %u, should be %u\n", 1 << blksz_bits, blksz);
} else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) !=
OCFS2_MAJOR_REV_LEVEL ||
le16_to_cpu(di->id2.i_super.s_minor_rev_level) !=
next prev parent reply other threads:[~2024-11-20 13:01 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-20 12:57 [PATCH 6.1 00/73] 6.1.119-rc1 review Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 01/73] netlink: terminate outstanding dump on socket close Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 02/73] net: vertexcom: mse102x: Fix tx_bytes calculation Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 03/73] drm/rockchip: vop: Fix a dereferenced before check warning Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 04/73] mptcp: error out earlier on disconnect Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 05/73] net/mlx5: fs, lock FTE when checking if active Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 06/73] net/mlx5e: kTLS, Fix incorrect page refcounting Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 07/73] net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 08/73] virtio/vsock: Fix accept_queue memory leak Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 09/73] Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 10/73] Bluetooth: hci_core: Fix calling mgmt_device_connected Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 11/73] net/sched: cls_u32: replace int refcounts with proper refcounts Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 12/73] net: sched: cls_u32: Fix u32s systematic failure to free IDR entries for hnodes Greg Kroah-Hartman
2024-11-20 12:57 ` [PATCH 6.1 13/73] samples: pktgen: correct dev to DEV Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 14/73] bonding: add ns target multicast address to slave device Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 15/73] ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 16/73] x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 17/73] mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 18/73] ocfs2: uncache inode which has failed entering the group Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 19/73] vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 20/73] vp_vdpa: fix id_table array not null terminated error Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 21/73] ima: fix buffer overrun in ima_eventdigest_init_common Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 22/73] KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 23/73] KVM: x86: Unconditionally set irr_pending when updating APICv state Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 24/73] KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 25/73] nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 26/73] ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 27/73] ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Greg Kroah-Hartman
2024-11-20 12:58 ` Greg Kroah-Hartman [this message]
2024-11-20 12:58 ` [PATCH 6.1 29/73] nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 30/73] Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 31/73] mmc: sunxi-mmc: Fix A100 compatible description Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 32/73] drm/bridge: tc358768: Fix DSI command tx Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 33/73] drm/amd: Fix initialization mistake for NBIO 7.7.0 Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 34/73] staging: vchiq_arm: Get the rid off struct vchiq_2835_state Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 35/73] staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 36/73] fs/ntfs3: Additional check in ntfs_file_release Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 37/73] Bluetooth: ISO: Fix not validating setsockopt user input Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 38/73] lib/buildid: Fix build ID parsing logic Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 39/73] cxl/pci: fix error code in __cxl_hdm_decode_init() Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 40/73] media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 41/73] NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 42/73] NFSD: Async COPY result needs to return a write verifier Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 43/73] NFSD: Limit the number of concurrent async COPY operations Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 44/73] NFSD: Initialize struct nfsd4_copy earlier Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 45/73] NFSD: Never decrement pending_async_copies on error Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 46/73] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 47/73] mptcp: define more local variables sk Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 48/73] mptcp: add userspace_pm_lookup_addr_by_id helper Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 49/73] mptcp: update local address flags when setting it Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 50/73] mptcp: hold pm lock when deleting entry Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 51/73] mptcp: drop lookup_by_id in lookup_addr Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 52/73] mptcp: pm: use _rcu variant under rcu_read_lock Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 53/73] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 54/73] ksmbd: fix potencial out-of-bounds when buffer offset is invalid Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 55/73] net: add copy_safe_from_sockptr() helper Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 56/73] nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 57/73] fs/9p: fix uninitialized values during inode evict Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 58/73] ipvs: properly dereference pe in ip_vs_add_service Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 59/73] net/sched: taprio: extend minimum interval restriction to entire cycle too Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 60/73] net: fec: remove .ndo_poll_controller to avoid deadlocks Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 61/73] mm: revert "mm: shmem: fix data-race in shmem_getattr()" Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 62/73] mm: avoid unsafe VMA hook invocation when error arises on mmap hook Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 63/73] mm: unconditionally close VMAs on error Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 64/73] mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 65/73] mm: resolve faulty mmap_region() error path behaviour Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 66/73] drm/amd: check num of link levels when update pcie param Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 67/73] char: xillybus: Prevent use-after-free due to race condition Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 68/73] null_blk: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 69/73] null_blk: fix null-ptr-dereference while configuring power and submit_queues Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 70/73] null_blk: Fix return value of nullb_device_power_store() Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 71/73] parisc: fix a possible DMA corruption Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 72/73] char: xillybus: Fix trivial bug with mutex Greg Kroah-Hartman
2024-11-20 12:58 ` [PATCH 6.1 73/73] net: Make copy_safe_from_sockptr() match documentation Greg Kroah-Hartman
2024-11-20 16:45 ` [PATCH 6.1 00/73] 6.1.119-rc1 review Mark Brown
2024-11-20 17:01 ` SeongJae Park
2024-11-20 18:31 ` Florian Fainelli
2024-11-20 23:22 ` Shuah Khan
2024-11-21 4:26 ` Ron Economos
2024-11-21 8:32 ` Naresh Kamboju
2024-11-21 9:02 ` Pavel Machek
2024-11-21 16:50 ` Hardik Garg
2024-11-21 19:39 ` Jon Hunter
2024-11-22 6:59 ` Muhammad Usama Anjum
2024-11-22 13:55 ` Yann Sionneau
2024-11-23 7:25 ` Pavel Machek
2024-11-23 16:11 ` Chuck Lever III
2024-11-23 17:47 ` Pavel Machek
2024-11-23 15:47 ` Guenter Roeck
2024-12-02 13:02 ` Greg Kroah-Hartman
2024-11-28 17:54 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241120125810.285065673@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=dmantipov@yandex.ru \
--cc=gechangwei@live.cn \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=junxiao.bi@oracle.com \
--cc=mark@fasheh.com \
--cc=patches@lists.linux.dev \
--cc=piaojun@huawei.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+56f7cd1abe4b8e475180@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.