syzbot


UBSAN: array-index-out-of-bounds in f2fs_iget

Status: fixed on 2023/10/12 12:48
Subsystems: f2fs
[Documentation on labels]
Reported-by: syzbot+601018296973a481f302@syzkaller.appspotmail.com
Fix commit: 958ccbbf1ce7 Revert "f2fs: fix to do sanity check on extent cache correctly"
First crash: 309d, last: 261d
Cause bisection: introduced by (bisect log) :
commit d48a7b3a72f121655d95b5157c32c7d555e44c05
Author: Chao Yu <chao@kernel.org>
Date: Mon Jan 9 03:49:20 2023 +0000

  f2fs: fix to do sanity check on extent cache correctly

Crash: UBSAN: array-index-out-of-bounds in f2fs_iget (log)
Repro: C syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] Revert "f2fs: fix to do sanity check on extent cache correctly" 2 (2) 2023/08/14 20:50
[syzbot] Monthly f2fs report (Aug 2023) 0 (1) 2023/08/07 07:27
[syzbot] [f2fs?] UBSAN: array-index-out-of-bounds in f2fs_iget 0 (1) 2023/07/20 05:56
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 UBSAN: array-index-out-of-bounds in f2fs_iget origin:upstream C done 1 274d 274d 3/3 fixed on 2023/10/10 21:47
linux-5.15 KASAN: use-after-free Read in f2fs_iget origin:upstream C 2 15d 15d 0/3 upstream: reported C repro on 2024/05/05 12:48

Sample crash report:
F2FS-fs (loop0): Mismatch start address, segment0(512) cp_blkaddr(605)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
================================================================================
UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:29
index 1409 is out of range for type '__le32 [923]'
CPU: 0 PID: 5033 Comm: syz-executor363 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 inline_data_addr fs/f2fs/f2fs.h:3275 [inline]
 __recover_inline_status fs/f2fs/inode.c:113 [inline]
 do_read_inode fs/f2fs/inode.c:480 [inline]
 f2fs_iget+0x5ad8/0x5b10 fs/f2fs/inode.c:604
 f2fs_fill_super+0x45d6/0xa1b0 fs/f2fs/super.c:4600
 mount_bdev+0x1f3/0x2e0 fs/super.c:1629
 legacy_get_tree+0x109/0x220 fs/fs_context.c:638
 vfs_get_tree+0x8c/0x370 fs/super.c:1750
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e221b58ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd4af35e68 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd4af35e80 RCX: 00007f4e221b58ba
RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffd4af35e80
RBP: 0000000000000004 R08: 00007ffd4af35ec0 R09: 0000000000007e87
R10: 0000000000000010 R11: 0000000000000286 R12: 0000000000000010
R13: 00007ffd4af35ec0 R14: 0000000000000003 R15: 0000000001ee4e54
 </TASK>
================================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/02 22:05 upstream 0468be89b3fa 696ea0d2 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in f2fs_iget
2023/08/01 11:16 upstream 5d0c230f1de8 2a0d0f29 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in f2fs_iget
2023/07/19 07:17 upstream 74f1456c4a5f 022df2bb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in f2fs_iget
2023/07/16 06:02 upstream 831fe284d827 35d9ecc5 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in f2fs_iget
2023/07/17 15:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e40939bbfc68 e5f10889 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in f2fs_iget
2023/07/16 05:44 upstream 831fe284d827 35d9ecc5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in f2fs_iget
* Struck through repros no longer work on HEAD.