Re: Bug: slab-out-of-bounds Write in __bh_read

public inbox for gfs2@lists.linux.dev
 help / color / mirror / Atom feed

From: Andrew Price <anprice@redhat.com>
To: Kun Hu <huk23@m.fudan.edu.cn>, Andreas Gruenbacher <agruenba@redhat.com>
Cc: Jan Kara <jack@suse.cz>,
	viro@zeniv.linux.org.uk, brauner@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	"jjtan24@m.fudan.edu.cn" <jjtan24@m.fudan.edu.cn>,
	gfs2@lists.linux.dev
Subject: Re: Bug: slab-out-of-bounds Write in __bh_read
Date: Mon, 13 Jan 2025 16:12:12 +0000	[thread overview]
Message-ID: <31f0da2e-4dd7-44eb-95ee-6d22d310a2d6@redhat.com> (raw)
In-Reply-To: <27DB604A-8C3B-4703-BB8A-CBC16B9C4969@m.fudan.edu.cn>

On 13/01/2025 15:54, Kun Hu wrote:
> 
>>
>> 32generated_program.c memory maps the filesystem image, mounts it, and
>> then modifies it through the memory map. It's those modifications that
>> cause gfs2 to crash, so the test case is invalid.
>>
>> Is disabling CONFIG_BLK_DEV_WRITE_MOUNTED supposed to prevent that? If
>> so, then it doesn't seem to be working.
>>
>> Thanks,
>> Andreas
> 
> 
>>   We have reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled to obtain the same crash log. The new crash log, along with C and Syzlang reproducers are provided below:
> 
>> Crash log: https://drive.google.com/file/d/1FiCgo05oPheAt4sDQzRYTQwl0-CY6rvi/view?usp=sharing
>> C reproducer: https://drive.google.com/file/d/1TTR9cquaJcMYER6vtYUGh3gOn_mROME4/view?usp=sharing
>> Syzlang reproducer: https://drive.google.com/file/d/1R9QDUP2r7MI4kYMiT_yn-tzm6NqmcEW-/view?usp=sharing
> 
> Hi Andreas,
> 
> As per Jan's suggestion, we’ve successfully reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled. Should you require us to test this issue again, we are happy to do so.
> 
FWIW the reproducer boils down to

   #include <fcntl.h>
   #include <unistd.h>
   #include <sys/ioctl.h>
   #include <linux/fs.h>

   /*
      mkfs.gfs2 -b 2048 -p lock_nolock $DEV
      mount $DEV $MNT
      cd $MNT
      /path/to/this_test
    */
   int main(void)
   {
           unsigned flag = FS_JOURNAL_DATA_FL;
           char buf[4102] = {0};
           int fd;

           /* Error checking omitted for clarity */
           fd = open("f", O_CREAT|O_RDWR);
           write(fd, buf, sizeof(buf));
           ioctl(fd, FS_IOC_SETFLAGS, &flag);
           write(fd, buf, sizeof(buf)); /* boom */
           close(fd);
           return 0;
   }

So it's switching the file to journaled data mode between two writes.

The size of the writes seems to be relevant and the fs needs to be 
created with a 2K block size (I'm guessing it could reproduce with other 
combinations).

Andy

next prev parent reply	other threads:[~2025-01-13 16:12 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <F0E0E5DD-572E-4F05-8016-46D36682C8BB@m.fudan.edu.cn>
     [not found] ` <brheoinx2gsmonf6uxobqicuxnqpxnsum26c3hcuroztmccl3m@lnmielvfe4v7>
     [not found]   ` <5757218E-52F8-49C7-95F1-9051EB51A2F3@m.fudan.edu.cn>
     [not found]     ` <6yd5s7fxnr7wtmluqa667lok54sphgtg4eppubntulelwidvca@ffyohkeovnyn>
     [not found]       ` <31A10938-C36E-40A2-8A1D-180BD95528DD@m.fudan.edu.cn>
2025-01-10 10:08         ` Bug: slab-out-of-bounds Write in __bh_read Jan Kara
2025-01-10 17:17           ` Kun Hu
2025-01-13 15:41             ` Andreas Gruenbacher
2025-01-13 15:54               ` Kun Hu
2025-01-13 16:12                 ` Andrew Price [this message]
2025-01-14 18:05                   ` Andreas Gruenbacher
     [not found]                     ` <958E28E8-3046-4030-963A-7A0789E8809C@m.fudan.edu.cn>
2025-01-15 13:37                       ` Andreas Gruenbacher
2025-01-16 10:41                     ` Kun Hu
2025-01-16 14:30                       ` Andrew Price
2025-01-13 16:24               ` Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=31f0da2e-4dd7-44eb-95ee-6d22d310a2d6@redhat.com \
    --to=anprice@redhat.com \
    --cc=agruenba@redhat.com \
    --cc=brauner@kernel.org \
    --cc=gfs2@lists.linux.dev \
    --cc=huk23@m.fudan.edu.cn \
    --cc=jack@suse.cz \
    --cc=jjtan24@m.fudan.edu.cn \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox