| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2024/04/01 | upstream (ToT) | 39cd87c4eb2b | C | [report] UBSAN: array-index-out-of-bounds in jfs_readdir |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [560] 🐞 Fixed [32] 🐞 Invalid [300] ⬇ Missing Backports [45] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2024/04/01 | upstream (ToT) | 39cd87c4eb2b | C | [report] UBSAN: array-index-out-of-bounds in jfs_readdir |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | C | error | done | 17 | 115d | 476d | 26/26 | fixed on 2024/03/20 11:33 |
| linux-6.1 | UBSAN: array-index-out-of-bounds in jfs_readdir origin:upstream | C | 31 | 6d13h | 31d | 0/3 | upstream: reported C repro on 2024/04/01 00:16 | ||
| upstream | UBSAN: array-index-out-of-bounds in jfs_readdir jfs | C | inconclusive | 28 | 4d16h | 31d | 0/26 | upstream: reported C repro on 2024/04/01 14:07 | |
| linux-4.14 | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | 1 | 476d | 476d | 0/1 | upstream: reported on 2023/01/12 07:34 | |||
| linux-4.19 | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | 2 | 476d | 476d | 0/1 | upstream: reported on 2023/01/12 07:27 |
loop0: detected capacity change from 0 to 32768 ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3190:30 index -1 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 3958 Comm: syz-executor101 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 jfs_readdir+0x16a4/0x385c fs/jfs/jfs_dtree.c:3190 iterate_dir+0x1f4/0x4e4 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2945:28 index -1 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 3958 Comm: syz-executor101 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 add_missing_indices fs/jfs/jfs_dtree.c:2945 [inline] jfs_readdir+0x1f54/0x385c fs/jfs/jfs_dtree.c:3307 iterate_dir+0x1f4/0x4e4 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:750:12 index 255 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 3958 Comm: syz-executor101 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 diWrite+0xbcc/0x1604 fs/jfs/jfs_imap.c:750 txCommit+0x754/0x55b0 fs/jfs/jfs_txnmgr.c:1255 add_missing_indices fs/jfs/jfs_dtree.c:2959 [inline] jfs_readdir+0x1fd0/0x385c fs/jfs/jfs_dtree.c:3307 iterate_dir+0x1f4/0x4e4 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:750:35 index 255 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 3958 Comm: syz-executor101 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 diWrite+0xc24/0x1604 fs/jfs/jfs_imap.c:750 txCommit+0x754/0x55b0 fs/jfs/jfs_txnmgr.c:1255 add_missing_indices fs/jfs/jfs_dtree.c:2959 [inline] jfs_readdir+0x1fd0/0x385c fs/jfs/jfs_dtree.c:3307 iterate_dir+0x1f4/0x4e4 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================== BUG: KASAN: slab-out-of-bounds in diWrite+0xb48/0x1604 fs/jfs/jfs_imap.c:750 Read of size 32 at addr ffff0000df8e5110 by task syz-executor101/3958 CPU: 1 PID: 3958 Comm: syz-executor101 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189 memcpy+0x90/0xe8 mm/kasan/shadow.c:65 diWrite+0xb48/0x1604 fs/jfs/jfs_imap.c:750 txCommit+0x754/0x55b0 fs/jfs/jfs_txnmgr.c:1255 add_missing_indices fs/jfs/jfs_dtree.c:2959 [inline] jfs_readdir+0x1fd0/0x385c fs/jfs/jfs_dtree.c:3307 iterate_dir+0x1f4/0x4e4 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64 fs/readdir.c:354 [inline] __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff0000df8e4a00 which belongs to the cache jfs_ip of size 2240 The buggy address is located 1808 bytes inside of 2240-byte region [ffff0000df8e4a00, ffff0000df8e52c0) The buggy address belongs to the page: page:00000000b0f34806 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f8e0 head:00000000b0f34806 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c650b380 raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000df8e5000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000df8e5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000df8e5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000df8e5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000df8e5200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0 ERROR: (device loop0): remounting filesystem as read-only ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 1 ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 2 ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 3 ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 4
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/04/01 04:28 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | |
| 2024/04/17 01:03 | linux-5.15.y | fa3df276cd36 | 18f6e127 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/14 02:33 | linux-5.15.y | fa3df276cd36 | c8349e48 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/14 02:33 | linux-5.15.y | fa3df276cd36 | c8349e48 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/14 02:33 | linux-5.15.y | fa3df276cd36 | c8349e48 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/03 02:49 | linux-5.15.y | 9465fef4ae35 | 7925100d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/02 22:44 | linux-5.15.y | 9465fef4ae35 | eb2966c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/02 21:14 | linux-5.15.y | 9465fef4ae35 | eb2966c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/02 14:34 | linux-5.15.y | 9465fef4ae35 | eb2966c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/02 14:34 | linux-5.15.y | 9465fef4ae35 | eb2966c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/01 20:51 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/01 15:45 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/01 15:18 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/01 00:51 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir | ||
| 2024/04/01 00:19 | linux-5.15.y | 9465fef4ae35 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-5-15-kasan-arm64 | UBSAN: array-index-out-of-bounds in jfs_readdir |