syzbot


UBSAN: array-index-out-of-bounds in dbNextAG

Status: upstream: reported C repro on 2024/07/07 08:53
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+c7f0060fd81760265d6a@syzkaller.appspotmail.com
First crash: 95d, last: 2d06h
Bug presence (1)
Date Name Commit Repro Result
2024/07/13 upstream (ToT) 975f3b6da180 C [report] UBSAN: array-index-out-of-bounds in dbNextAG
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 UBSAN: array-index-out-of-bounds in dbNextAG origin:upstream missing-backport C 3 1d17h 95d 0/3 upstream: reported C repro on 2024/07/07 08:50
upstream UBSAN: array-index-out-of-bounds in dbNextAG (2) jfs C inconclusive 53 21d 91d 27/28 upstream: reported C repro on 2024/07/11 08:55
upstream UBSAN: array-index-out-of-bounds in dbNextAG jfs C inconclusive inconclusive 52 317d 745d 25/28 fixed on 2023/12/21 01:43
linux-4.19 KASAN: use-after-free Read in dbNextAG jfs C error 12 641d 746d 0/1 upstream: reported C repro on 2022/09/25 01:19
linux-4.14 KASAN: use-after-free Read in dbNextAG C 2 597d 746d 0/1 upstream: reported C repro on 2022/09/25 01:19
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/10/08 05:11 2h16m bisect fix linux-5.15.y OK (0) job log log
2024/08/24 20:28 54m bisect fix linux-5.15.y OK (0) job log log

Sample crash report:
loop0: detected capacity change from 0 to 32768
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:661:7
index 128 is out of range for type 's64[128]' (aka 'long long[128]')
CPU: 0 PID: 3500 Comm: syz-executor258 Not tainted 5.15.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
 dbNextAG+0x3ef/0x630 fs/jfs/jfs_dmap.c:661
 diAlloc+0x6c2/0x1750 fs/jfs/jfs_imap.c:1369
 ialloc+0x8b/0x970 fs/jfs/jfs_inode.c:56
 jfs_create+0x1ba/0xbb0 fs/jfs/namei.c:92
 lookup_open fs/namei.c:3462 [inline]
 open_last_lookups fs/namei.c:3532 [inline]
 path_openat+0x130a/0x2f20 fs/namei.c:3739
 do_filp_open+0x21c/0x460 fs/namei.c:3769
 do_sys_openat2+0x13b/0x500 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1280
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fa7480b1a99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb642ad68 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7480b1a99
RDX: 000000000000275a RSI: 00000000200005c0 RDI: 00000000ffffff9c
RBP: 00007fa74812b5f0 R08: 00005555562944c0 R09: 00005555562944c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb642ad90
R13: 00007ffdb642afb8 R14: 431bde82d7b634db R15: 00007fa7480fa03b
 </TASK>
================================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/12 22:20 linux-5.15.y f45bea23c39c eaeb5c15 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dbNextAG
2024/08/25 10:10 linux-5.15.y fa93fa65db6e d7d32352 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dbNextAG
2024/07/07 08:53 linux-5.15.y f45bea23c39c 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dbNextAG
2024/07/07 08:53 linux-5.15.y f45bea23c39c 2a40360c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dbNextAG
* Struck through repros no longer work on HEAD.