[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon--- via Linux-f2fs-devel <linux-f2fs-devel@lists.sourceforge.net>]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

--- Comment #5 from Attila (cs.attila@zerodaybugs.com) ---
Created attachment 310083
  --> https://bugzilla.kernel.org/attachment.cgi?id=310083&action=edit
Current-master fsck.f2fs reproducer package for Bug 203861: ASAN/UBSAN log,
evidence card, concept fix, mount.c context, and minimized crash artifacts
showing SIGFPE in sanity_check_raw_super() with s

I can reproduce a related fsck.f2fs divide-by-zero on current f2fs-tools
master, so this looks like either an incomplete fix for Bug 203861 or a
regression in a different validation path.

This is not the same top frame as the original 2019 report. The original report
shows the crash later through build_curseg() / GET_ZONE_FROM_SEGNO() when
sbi->secs_per_zone is 0. My current reproducer reaches an earlier path in
sanity_check_raw_super():

- component: f2fs-tools userspace fsck.f2fs
- function: sanity_check_raw_super()
- file/line: fsck/mount.c:1130:49 in my current-master build
- corrupted fields: segs_per_sec = 1, secs_per_zone = 0
- derived value: segs_per_zone = segs_per_sec * secs_per_zone = 0
- observed result: UBSan division-by-zero followed by ASan SIGFPE

Observed sanitizer evidence:

mount.c:1130:33: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mount.c:1130:33
AddressSanitizer:DEADLYSIGNAL
ERROR: AddressSanitizer: FPE
    #0 in sanity_check_raw_super fsck/mount.c:1130:49
    #1 in validate_super_block fsck/mount.c:1195:7
    #2 in f2fs_do_mount fsck/mount.c:4088:8
    #3 in main fsck/main.c:1326:8

The root cause appears to be that secs_per_zone == 0 is still rejected too late
on this path. segs_per_zone is derived from untrusted superblock fields and can
be used as a divisor before secs_per_zone / derived segs_per_zone are
validated.

I am attaching a current repro package with:
- ASAN/UBSAN log
- evidence card
- concept fix
- mount.c context
- minimized crash artifacts

Security impact claimed: local/tooling denial-of-service only. I am not
claiming RCE, privilege escalation, kernel compromise, or production Android
reachability.

If maintainers prefer a new bug instead of reopening/commenting on this
resolved one, I can file a new Bugzilla issue explicitly referencing Bug 203861
as the related/incomplete-fix ancestor.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel