syzbot

 sign-in | mailing list | source | docs
🐞 Open [539] 🐞 Fixed [32] 🐞 Invalid [295] Missing Backports [44] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

UBSAN: array-index-out-of-bounds in dbAllocBits

Status: upstream: reported C repro on 2023/05/19 07:30
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+76c960a839deb49a86ec@syzkaller.appspotmail.com
First crash: 340d, last: 311d
Fix bisection: failed (error log, bisect log)
  
Bug presence (1)
Date Name Commit Repro Result
2023/05/20 upstream (ToT) 5565ec4ef4f0 C [report] UBSAN: array-index-out-of-bounds in dbAllocBits
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: array-index-out-of-bounds in dbAllocBits jfs C inconclusive error 234 116d 567d 0/26 auto-obsoleted due to no activity on 2024/03/07 21:48
linux-6.1 UBSAN: array-index-out-of-bounds in dbAllocBits origin:upstream C 2 4d12h 340d 0/3 upstream: reported C repro on 2023/05/19 04:28
linux-4.19 KASAN: use-after-free Read in dbAllocBits C error 2 548d 570d 0/1 upstream: reported C repro on 2022/10/01 12:57

Sample crash report:
loop0: detected capacity change from 0 to 32768
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2306:2
index 2000 is out of range for type 's64[128]' (aka 'long long[128]')
CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
 dbAllocBits+0x8a4/0x8d0 fs/jfs/jfs_dmap.c:2306
 dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline]
 dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312
 dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829
 ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
 __jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718
 __jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
 jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
 set_posix_acl fs/posix_acl.c:947 [inline]
 posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966
 __vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
 __vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
 vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
 do_setxattr fs/xattr.c:588 [inline]
 setxattr+0x250/0x2b4 fs/xattr.c:611
 path_setxattr+0x17c/0x258 fs/xattr.c:630
 __do_sys_lsetxattr fs/xattr.c:653 [inline]
 __se_sys_lsetxattr fs/xattr.c:649 [inline]
 __arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
================================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306
Read of size 8 at addr ffff0000c8ea3eb8 by task syz-executor219/3962

CPU: 0 PID: 3962 Comm: syz-executor219 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
 dbAllocBits+0x7a8/0x8d0 fs/jfs/jfs_dmap.c:2306
 dbAllocDmap fs/jfs/jfs_dmap.c:2083 [inline]
 dbAllocNear+0x224/0x334 fs/jfs/jfs_dmap.c:1312
 dbAlloc+0x804/0xa18 fs/jfs/jfs_dmap.c:829
 ea_get+0x6f8/0xef0 fs/jfs/xattr.c:514
 __jfs_setxattr+0x41c/0x13ac fs/jfs/xattr.c:718
 __jfs_set_acl+0x108/0x1a4 fs/jfs/acl.c:87
 jfs_set_acl+0x1f0/0x45c fs/jfs/acl.c:114
 set_posix_acl fs/posix_acl.c:947 [inline]
 posix_acl_xattr_set+0x2cc/0x378 fs/posix_acl.c:966
 __vfs_setxattr+0x388/0x3a4 fs/xattr.c:182
 __vfs_setxattr_noperm+0x110/0x528 fs/xattr.c:216
 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:277
 vfs_setxattr+0x1a8/0x344 fs/xattr.c:303
 do_setxattr fs/xattr.c:588 [inline]
 setxattr+0x250/0x2b4 fs/xattr.c:611
 path_setxattr+0x17c/0x258 fs/xattr.c:630
 __do_sys_lsetxattr fs/xattr.c:653 [inline]
 __se_sys_lsetxattr fs/xattr.c:649 [inline]
 __arm64_sys_lsetxattr+0xbc/0xd8 fs/xattr.c:649
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffff0000c8ea3000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1720 bytes to the right of
 2048-byte region [ffff0000c8ea3000, ffff0000c8ea3800)
The buggy address belongs to the page:
page:00000000a47a5561 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108ea0
head:00000000a47a5561 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c8ea3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c8ea3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c8ea3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                        ^
 ffff0000c8ea3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c8ea3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
JFS: metapage_get_blocks failed
ERROR: (device loop0): release_metapage: write_one_page() failed

ERROR: (device loop0): remounting filesystem as read-only

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/19 07:29 linux-5.15.y 9d6bde853685 3bb7af1d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dbAllocBits
2023/06/17 04:22 linux-5.15.y 471e639e59d1 f3921d4d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dbAllocBits
* Struck through repros no longer work on HEAD.