syzbot


UBSAN: shift-out-of-bounds in ntfs_read_inode_mount

Status: upstream: reported C repro on 2023/03/03 17:36
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+c601e38d15ce8253186a@syzkaller.appspotmail.com
First crash: 360d, last: 48d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] UBSAN: shift-out-of-bounds in ntfs_read_inode_mount 0 (3) 2024/02/19 22:18
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 UBSAN: shift-out-of-bounds in ntfs_read_inode_mount origin:upstream C 1 29d 226d 0/3 upstream: reported C repro on 2023/07/15 21:00
linux-6.1 UBSAN: shift-out-of-bounds in ntfs_read_inode_mount origin:upstream C 2 4d03h 260d 0/3 upstream: reported C repro on 2023/06/11 05:24
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/02/10 20:52 21m retest repro upstream OK log
2024/01/28 04:01 21m retest repro upstream OK log
2024/01/09 02:48 28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/01/09 02:45 16m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/17 21:39 10m retest repro upstream report log
2023/12/02 07:45 13m retest repro upstream report log
2023/11/18 07:26 15m retest repro upstream report log
2023/10/31 01:46 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/09/05 03:37 9m retest repro upstream report log
2023/08/22 01:16 26m retest repro upstream report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/02/19 17:27 4h49m bisect fix upstream job log (1)
2023/10/08 20:12 1h19m bisect fix upstream job log (0) log

Sample crash report:
ntfs: (device loop0): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel.
================================================================================
UBSAN: shift-out-of-bounds in fs/ntfs/inode.c:1080:43
shift exponent 267 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 5969 Comm: syz-executor382 Not tainted 6.4.0-rc5-syzkaller-gd8b213732169 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:387
 ntfs_read_locked_inode+0x35b4/0x38e0 fs/ntfs/inode.c:1080
 ntfs_read_inode_mount+0xbb0/0x2044 fs/ntfs/inode.c:2098
 ntfs_fill_super+0x13b4/0x2314 fs/ntfs/super.c:2863
 mount_bdev+0x274/0x370 fs/super.c:1380
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
 vfs_get_tree+0x90/0x274 fs/super.c:1510
 do_new_mount+0x25c/0x8c4 fs/namespace.c:3039
 path_mount+0x590/0xe04 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:191
 el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
================================================================================
================================================================================
UBSAN: shift-out-of-bounds in fs/ntfs/inode.c:1089:11
shift exponent 255 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 5969 Comm: syz-executor382 Not tainted 6.4.0-rc5-syzkaller-gd8b213732169 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:387
 ntfs_read_locked_inode+0x35d0/0x38e0 fs/ntfs/inode.c:1089
 ntfs_read_inode_mount+0xbb0/0x2044 fs/ntfs/inode.c:2098
 ntfs_fill_super+0x13b4/0x2314 fs/ntfs/super.c:2863
 mount_bdev+0x274/0x370 fs/super.c:1380
 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
 vfs_get_tree+0x90/0x274 fs/super.c:1510
 do_new_mount+0x25c/0x8c4 fs/namespace.c:3039
 path_mount+0x590/0xe04 fs/namespace.c:3369
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:191
 el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
================================================================================
ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match.  Run ntfsfix or chkdsk.
ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT.  Mounting read-only.  Run ntfsfix and/or chkdsk.
ntfs: (device loop0): map_mft_record(): Failed with error code 13.
ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -13.  Marking corrupt inode 0xa as bad.  Run chkdsk.
ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default.
ntfs: (device loop0): map_mft_record(): Failed with error code 13.
ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -13.  Marking corrupt inode 0x4 as bad.  Run chkdsk.
ntfs: (device loop0): load_and_init_attrdef(): Failed to initialize attribute definition table.
ntfs: (device loop0): ntfs_fill_super(): Failed to load system files.

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/11 04:58 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d8b213732169 7086cdb9 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
2023/11/04 05:12 upstream 8f6f76a6a29f 500bfdc4 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
2023/07/10 22:41 upstream 3f01e9fed845 52ae002a .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
2023/06/11 05:05 upstream 022ce8862dff 49519f06 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
2023/03/03 07:59 upstream 04a357b1f6f0 f8902b57 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
2023/03/17 09:16 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fe15c26ee26e 18b58603 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 UBSAN: shift-out-of-bounds in ntfs_read_inode_mount
* Struck through repros no longer work on HEAD.