Date | Name | Commit | Repro | Result |
---|---|---|---|---|
2023/05/20 | upstream (ToT) | 5565ec4ef4f0 | C | [report] UBSAN: array-index-out-of-bounds in dbAllocBits |
syzbot |
sign-in | mailing list | source | docs |
🐞 Open [422] 🐞 Fixed [29] 🐞 Invalid [190] ⬇ Missing Backports [38] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
Date | Name | Commit | Repro | Result |
---|---|---|---|---|
2023/05/20 | upstream (ToT) | 5565ec4ef4f0 | C | [report] UBSAN: array-index-out-of-bounds in dbAllocBits |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
upstream | UBSAN: array-index-out-of-bounds in dbAllocBits jfs | C | inconclusive | error | 232 | 1d12h | 432d | 0/25 | upstream: reported C repro on 2022/10/04 09:00 |
linux-6.1 | UBSAN: array-index-out-of-bounds in dbAllocBits origin:upstream | C | 2 | 6d02h | 205d | 0/3 | upstream: reported C repro on 2023/05/19 04:28 | ||
linux-4.19 | KASAN: use-after-free Read in dbAllocBits | C | error | 2 | 414d | 435d | 0/1 | upstream: reported C repro on 2022/10/01 12:57 |
loop0: detected capacity change from 0 to 32768 ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2306:2 index 2000 is out of range for type 's64[128]' (aka 'long long[128]') CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 dbAllocBits+0x8a4/0x8d0 fs/jfs/jfs_dmap.c:2306 dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline] dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312 dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829 ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514 __jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718 __jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87 jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114 set_posix_acl fs/posix_acl.c:947 [inline] posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966 __vfs_setxattr+0x388/0x3a4 fs/xattr.c:182 __vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277 vfs_setxattr+0x1a8/0x344 fs/xattr.c:303 do_setxattr fs/xattr.c:588 [inline] setxattr+0x250/0x2b4 fs/xattr.c:611 path_setxattr+0x17c/0x258 fs/xattr.c:630 __do_sys_lsetxattr fs/xattr.c:653 [inline] __se_sys_lsetxattr fs/xattr.c:649 [inline] __arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================== BUG: KASAN: slab-out-of-bounds in dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306 Read of size 8 at addr ffff0000c8ea3eb8 by task syz-executor219/3962 CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309 dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306 dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline] dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312 dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829 ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514 __jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718 __jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87 jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114 set_posix_acl fs/posix_acl.c:947 [inline] posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966 __vfs_setxattr+0x388/0x3a4 fs/xattr.c:182 __vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277 vfs_setxattr+0x1a8/0x344 fs/xattr.c:303 do_setxattr fs/xattr.c:588 [inline] setxattr+0x250/0x2b4 fs/xattr.c:611 path_setxattr+0x17c/0x258 fs/xattr.c:630 __do_sys_lsetxattr fs/xattr.c:653 [inline] __se_sys_lsetxattr fs/xattr.c:649 [inline] __arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff0000c8ea3000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1720 bytes to the right of 2048-byte region [ffff0000c8ea3000, ffff0000c8ea3800) The buggy address belongs to the page: page:00000000a47a5561 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108ea0 head:00000000a47a5561 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900 raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c8ea3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c8ea3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000c8ea3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000c8ea3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c8ea3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== JFS: metapage_get_blocks failed ERROR: (device loop0): release_metapage: write_one_page() failed ERROR: (device loop0): remounting filesystem as read-only
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2023/05/19 07:29 | linux-5.15.y | 9d6bde853685 | 3bb7af1d | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in dbAllocBits | |
2023/06/17 04:22 | linux-5.15.y | 471e639e59d1 | f3921d4d | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-linux-5-15-kasan | UBSAN: array-index-out-of-bounds in dbAllocBits |