[f2fs-dev] [Bug 215657] New: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=215657

            Bug ID: 215657
           Summary: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c
                    when mount and operate a corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: 5.17-rc4, 5.17-rc6
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: wenqingliu0120@gmail.com
        Regression: No

Created attachment 300527
  --> https://bugzilla.kernel.org/attachment.cgi?id=300527&action=edit
poc and .config

- Overview 
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and
operate a corrupted image

- Reproduce 
tested on kernel 5.17-rc4, 5.17-rc6

# mkdir test_crash
# cd test_crash 
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh f2fs 2

- Kernel dump
[   46.434454] loop0: detected capacity change from 0 to 131072
[   46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[   46.738319]
================================================================================
[   46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[   46.738475] index 231 is out of range for type 'unsigned int [2]'
[   46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[   46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[   46.738551] Call Trace:
[   46.738556]  <TASK>
[   46.738563]  dump_stack_lvl+0x47/0x5c
[   46.738581]  ubsan_epilogue+0x5/0x50
[   46.738592]  __ubsan_handle_out_of_bounds+0x68/0x80
[   46.738604]  f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[   46.738819]  do_write_page+0xef/0x210 [f2fs]
[   46.738934]  f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[   46.739038]  __write_node_page+0x2b7/0x920 [f2fs]
[   46.739162]  f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[   46.739268]  ? __inode_wait_for_writeback+0xd1/0x120
[   46.739283]  ? iput+0xd6/0x390
[   46.739293]  f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[   46.739405]  kill_f2fs_super+0x125/0x150 [f2fs]
[   46.739507]  deactivate_locked_super+0x60/0xc0
[   46.739517]  deactivate_super+0x70/0xb0
[   46.739524]  cleanup_mnt+0x11a/0x200
[   46.739532]  __cleanup_mnt+0x16/0x20
[   46.739538]  task_work_run+0x67/0xa0
[   46.739547]  exit_to_user_mode_prepare+0x18c/0x1a0
[   46.739559]  syscall_exit_to_user_mode+0x26/0x40
[   46.739568]  do_syscall_64+0x46/0xb0
[   46.739584]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   46.739594] RIP: 0033:0x7f7b9d28a657
[   46.739602] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[   46.739608] RSP: 002b:00007ffd5f511d68 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[   46.739616] RAX: 0000000000000000 RBX: 0000558790c51420 RCX:
00007f7b9d28a657
[   46.739620] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000558790c590b0
[   46.739623] RBP: 0000000000000000 R08: 0000558790c598a0 R09:
0000000000000004
[   46.739626] R10: 000000000000000b R11: 0000000000000246 R12:
0000558790c590b0
[   46.739630] R13: 00007f7b9d7ac8a4 R14: 0000558790c51600 R15:
0000000000000000
[   46.739637]  </TASK>
[   46.739711]
================================================================================

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel