syzbot


UBSAN: array-index-out-of-bounds in udf_statfs

Status: fixed on 2021/11/10 00:50
Subsystems: udf
[Documentation on labels]
Reported-by: syzbot+7fbfe5fed73ebb675748@syzkaller.appspotmail.com
Fix commit: 781d2a9a2fc7 udf: Check LVID earlier
First crash: 1126d, last: 1034d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
Discussions (16)
Title Replies (including bot) Last reply
[PATCH 5.14 000/334] 5.14.4-rc1 review 381 (381) 2021/09/22 06:20
[PATCH 4.19 000/293] 4.19.207-rc1 review 300 (300) 2021/09/22 05:34
[PATCH 4.14 000/217] 4.14.247-rc1 review 220 (220) 2021/09/22 01:59
[PATCH 4.9 000/175] 4.9.283-rc1 review 180 (180) 2021/09/21 15:34
[PATCH 5.10 000/236] 5.10.65-rc1 review 249 (249) 2021/09/16 08:48
[PATCH 5.4 000/144] 5.4.146-rc1 review 151 (151) 2021/09/15 02:05
[PATCH 5.13 000/300] 5.13.17-rc1 review 308 (308) 2021/09/14 15:59
[PATCH AUTOSEL 4.9 01/14] regmap: fix the offset of register error log 14 (14) 2021/09/06 01:24
[PATCH AUTOSEL 4.14 01/17] regmap: fix the offset of register error log 17 (17) 2021/09/06 01:23
[PATCH AUTOSEL 4.19 01/23] locking/mutex: Fix HANDOFF condition 23 (23) 2021/09/06 01:23
[PATCH AUTOSEL 5.4 01/30] locking/mutex: Fix HANDOFF condition 30 (30) 2021/09/06 01:22
[PATCH AUTOSEL 5.10 01/39] locking/mutex: Fix HANDOFF condition 39 (39) 2021/09/06 01:21
[PATCH AUTOSEL 5.13 01/46] locking/mutex: Fix HANDOFF condition 46 (46) 2021/09/06 01:20
[PATCH AUTOSEL 5.14 01/47] locking/mutex: Fix HANDOFF condition 47 (47) 2021/09/06 01:19
[PATCH 0/4] udf: Better LVID checking and VLA cleanup 5 (5) 2021/05/03 10:12
[syzbot] UBSAN: array-index-out-of-bounds in udf_statfs 2 (3) 2021/05/03 08:55
Last patch testing requests (9)
Created Duration User Patch Repo Result
2021/08/10 19:10 33m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2021/08/10 12:11 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master error OK
2021/08/09 08:25 11m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2021/08/08 22:12 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master error OK
2021/08/08 21:50 37m asha.16@itfac.mrt.ac.lk https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2021/08/07 10:46 6m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master error OK
2021/08/03 10:09 11m asha.16@itfac.mrt.ac.lk https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2021/07/24 20:16 11m asha.16@itfac.mrt.ac.lk https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e77a830c8297 report log
2021/05/31 06:29 12m mudongliangabcd@gmail.com upstream report log

Sample crash report:
loop0: detected capacity change from 0 to 3974
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000)
================================================================================
UBSAN: array-index-out-of-bounds in fs/udf/super.c:2524:12
index 0 is out of range for type '__le32 [0]'
CPU: 1 PID: 8363 Comm: syz-executor557 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:288
 udf_count_free fs/udf/super.c:2524 [inline]
 udf_statfs+0x49f/0xd70 fs/udf/super.c:2408
 statfs_by_dentry fs/statfs.c:66 [inline]
 vfs_statfs+0x136/0x310 fs/statfs.c:90
 user_statfs fs/statfs.c:105 [inline]
 __do_sys_statfs fs/statfs.c:195 [inline]
 __se_sys_statfs+0xe5/0x210 fs/statfs.c:192
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x444579
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc428d7b58 EFLAGS: 00000246 ORIG_RAX: 0000000000000089
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444579
RDX: 0000000000402b43 RSI: 0000000000000000 RDI: 00000000200001c0
RBP: 0000000000403e10 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffc428d7a20 R11: 0000000000000246 R12: 0000000000403ea0
R13: 0000000000000000 R14: 00000000004b2018 R15: 00000000004004a0
================================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8363 Comm: syz-executor557 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 panic+0x2e1/0x850 kernel/panic.c:231
 ubsan_epilogue lib/ubsan.c:162 [inline]
 __ubsan_handle_out_of_bounds+0x12b/0x130 lib/ubsan.c:288
 udf_count_free fs/udf/super.c:2524 [inline]
 udf_statfs+0x49f/0xd70 fs/udf/super.c:2408
 statfs_by_dentry fs/statfs.c:66 [inline]
 vfs_statfs+0x136/0x310 fs/statfs.c:90
 user_statfs fs/statfs.c:105 [inline]
 __do_sys_statfs fs/statfs.c:195 [inline]
 __se_sys_statfs+0xe5/0x210 fs/statfs.c:192
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x444579
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc428d7b58 EFLAGS: 00000246 ORIG_RAX: 0000000000000089
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000444579
RDX: 0000000000402b43 RSI: 0000000000000000 RDI: 00000000200001c0
RBP: 0000000000403e10 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffc428d7a20 R11: 0000000000000246 R12: 0000000000403ea0
R13: 0000000000000000 R14: 00000000004b2018 R15: 00000000004004a0
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/04/24 12:21 upstream e77a830c8297 17f0b706 .config console log report syz C ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in udf_statfs
2021/07/25 15:42 upstream 6498f6151825 4d1b57d4 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in udf_statfs
2021/04/24 08:49 upstream e77a830c8297 17f0b706 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in udf_statfs
* Struck through repros no longer work on HEAD.