syzbot


UBSAN: shift-out-of-bounds in ntfs_iget

Status: fixed on 2024/03/20 11:33
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+4768a8f039aa677897d0@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 553d, last: 311d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (8)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] UBSAN: shift-out-of-bounds in ntfs_iget 1 (3) 2024/03/06 12:21
[PATCH v4] ntfs : fix shift-out-of-bounds in ntfs_iget 6 (6) 2023/08/28 16:52
[PATCH v5] ntfs : fix shift-out-of-bounds in ntfs_iget 4 (4) 2023/08/15 08:52
Re: [PATCH v2] ntfs : fix shift-out-of-bounds in ntfs_iget 3 (3) 2023/08/10 17:32
[PATCH v2] ntfs : fix shift-out-of-bounds in ntfs_iget 2 (2) 2023/08/08 10:45
Re: [PATCH] ntfs : fix shift-out-of-bounds in ntfs_iget 1 (1) 2023/08/08 05:27
[PATCH] ntfs : fix shift-out-of-bounds in ntfs_iget 1 (1) 2023/08/08 04:34
[syzbot] [ntfs?] UBSAN: shift-out-of-bounds in ntfs_iget 1 (1) 2023/08/05 04:57
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 UBSAN: shift-out-of-bounds in ntfs_iget origin:upstream missing-backport C done 2 62d 552d 0/3 upstream: reported C repro on 2023/05/31 18:24
linux-6.1 UBSAN: shift-out-of-bounds in ntfs_iget origin:upstream missing-backport C error 2 89d 552d 0/3 upstream: reported C repro on 2023/06/01 07:48
Last patch testing requests (11)
Created Duration User Patch Repo Result
2024/02/24 16:54 21m retest repro upstream OK log
2024/01/27 23:04 22m retest repro upstream OK log
2024/01/27 23:04 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/01/12 15:08 24m retest repro upstream OK log
2024/01/11 17:11 16m retest repro upstream OK log
2023/11/15 22:51 24m retest repro linux-next OK log
2023/11/15 22:51 15m retest repro upstream report log
2023/11/15 22:51 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/10/30 02:20 14m retest repro upstream report log
2023/09/06 22:07 10m retest repro upstream report log
2023/08/08 03:47 27m ghandatmanas@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.4 OK log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2024/03/05 16:04 4h16m bisect fix upstream OK (1) job log
2023/12/16 13:24 3h24m bisect fix upstream OK (0) job log log
2023/10/15 18:15 1h03m bisect fix upstream OK (0) job log log

Sample crash report:
ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5.  Marking corrupt inode 0x1 as bad.  Run chkdsk.
ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr.  Mounting read-only.  Run ntfsfix and/or chkdsk.
================================================================================
UBSAN: shift-out-of-bounds in fs/ntfs/inode.c:1080:43
shift exponent 44 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 5966 Comm: syz-executor273 Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:387
 ntfs_read_locked_inode+0x35b4/0x38e0 fs/ntfs/inode.c:1080
 ntfs_iget+0x110/0x19c fs/ntfs/inode.c:177
 load_and_init_upcase fs/ntfs/super.c:1663 [inline]
 load_system_files+0x1728/0x4734 fs/ntfs/super.c:1818
 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900
 mount_bdev+0x26c/0x368 fs/super.c:1380
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
 vfs_get_tree+0x90/0x274 fs/super.c:1510
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3039
 path_mount+0x590/0xe04 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
================================================================================
================================================================================
UBSAN: shift-out-of-bounds in fs/ntfs/inode.c:1089:11
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 5966 Comm: syz-executor273 Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:387
 ntfs_read_locked_inode+0x35d0/0x38e0 fs/ntfs/inode.c:1089
 ntfs_iget+0x110/0x19c fs/ntfs/inode.c:177
 load_and_init_upcase fs/ntfs/super.c:1663 [inline]
 load_system_files+0x1728/0x4734 fs/ntfs/super.c:1818
 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900
 mount_bdev+0x26c/0x368 fs/super.c:1380
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
 vfs_get_tree+0x90/0x274 fs/super.c:1510
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3039
 path_mount+0x590/0xe04 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
================================================================================
ntfs: (device loop0): ntfs_mapping_pairs_decompress(): Missing length entry in mapping pairs array.
ntfs: (device loop0): ntfs_mapping_pairs_decompress(): Invalid length in mapping pairs array.
ntfs: (device loop0): ntfs_read_block(): Failed to read from inode 0xa, attribute type 0x80, vcn 0x0, offset 0x0 because its location on disk could not be determined even after retrying (error code -5).
ntfs: (device loop0): ntfs_mapping_pairs_decompress(): Missing length entry in mapping pairs array.
ntfs: (device loop0): ntfs_mapping_pairs_decompress(): Invalid length in mapping pairs array.
ntfs: (device loop0): ntfs_read_block(): Failed to read from inode 0xa, attribute type 0x80, vcn 0x0, offset 0x800 because its location on disk could not be determined even after retrying (error code -5).
ntfs: volume version 3.1.

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/31 08:03 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci eb0f1697d729 09898419 .config console log report syz C [mounted in repro] ci-upstream-gce-arm64 UBSAN: shift-out-of-bounds in ntfs_iget
2023/12/28 16:08 upstream f5837722ffec fb427a07 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in ntfs_iget
2023/10/15 21:59 upstream 9a3dad63edbe 6388bc36 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in ntfs_iget
2023/06/29 12:12 upstream e8f75c0270d9 ca69c785 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in ntfs_iget
2023/05/31 07:44 upstream afead42fdfca 09898419 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_iget
2023/08/09 23:54 linux-next 21ef7b1e17d0 13ca4cd6 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in ntfs_iget
2023/11/01 22:20 upstream 8bc9e6515183 69904c9f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_iget
2023/06/04 16:35 upstream e5282a7d8f6b a4ae4f42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_iget
2023/05/31 07:28 upstream afead42fdfca 09898419 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_iget
* Struck through repros no longer work on HEAD.