syzbot


UBSAN: array-index-out-of-bounds in dquot_resume

Status: fixed on 2021/03/10 01:48
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com
Fix commit: e51d68e76d60 fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode()
First crash: 1199d, last: 1199d
Cause bisection: introduced by (bisect log) :
commit ae45f07d47cc30e9170488a4e5fe91ba4fe5ed4e
Author: Jan Kara <jack@suse.cz>
Date: Fri Nov 1 16:51:05 2019 +0000

  quota: Simplify dquot_resume()

Crash: UBSAN: undefined-behaviour in vfs_cleanup_quota_inode (log)
Repro: C syz .config
  
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.10 00/40] 5.10.3-rc1 review 60 (60) 2021/01/06 23:56
[PATCH] fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode() 3 (3) 2020/12/09 17:53
[PATCH] quota: Fix error handling path of dquot_resume() 1 (1) 2020/12/08 14:22
UBSAN: array-index-out-of-bounds in dquot_resume 0 (1) 2020/12/07 19:03
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/12/08 07:51 19m anant.thazhemadam@gmail.com patch upstream OK

Sample crash report:
EXT4-fs (loop0): warning: mounting fs with errors, running e2fsck is recommended
================================================================================
UBSAN: array-index-out-of-bounds in fs/quota/dquot.c:2169:24
index -1 is out of range for type 'struct inode *[3]'
CPU: 0 PID: 8448 Comm: syz-executor007 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:356
 vfs_cleanup_quota_inode fs/quota/dquot.c:2169 [inline]
 dquot_resume+0x3f1/0x440 fs/quota/dquot.c:2458
 ext4_remount+0x2455/0x3230 fs/ext4/super.c:6018
 reconfigure_super+0x3b4/0x7b0 fs/super.c:957
 do_remount fs/namespace.c:2612 [inline]
 path_mount+0x1a1f/0x2a20 fs/namespace.c:3197
 do_mount fs/namespace.c:3218 [inline]
 __do_sys_mount fs/namespace.c:3426 [inline]
 __se_sys_mount+0x28c/0x320 fs/namespace.c:3403
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44c99a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd ab fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba ab fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007fa03c8b9ba8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 000000000044c99a
RDX: 0000000020000540 RSI: 0000000020000580 RDI: 0000000000000000
RBP: 00007fa03c8ba6d0 R08: 00007fa03c8b9c40 R09: 0000000000240038
R10: 0000000000240038 R11: 0000000000000297 R12: 00000000ffffffff
R13: 0000000000000000 R14: 0000000000000000 R15: 00007fa03c8b9c40
================================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/05 23:29 upstream b3298500b23f 50503117 .config console log report syz C ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.