[v3] jfs: UBSAN: shift-out-of-bounds in dbFindBits

[PATCH v3] jfs: UBSAN: shift-out-of-bounds in dbFindBits

Posted by Matt Jan 1 month ago

Return immediately if the needed free bits span a full word to avoid
out-of-bounds shifting.

#syz test

Reported-by: syzbot+9e90a1c5eedb9dc4c6cc@syzkaller.appspotmail.com
Signed-off-by: Matt Jan <zoo868e@gmail.com>
---
Changes in v3: Return the result earlier instead of assert it
Changes in v2: Test if the patch resolve the issue through syzbot and
reference the reporter.

 fs/jfs/jfs_dmap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 974ecf5e0d95..45b7a393b769 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3012,6 +3012,11 @@ static int dbFindBits(u32 word, int l2nb)
 	int bitno, nb;
 	u32 mask;
 
+	/* return immediately if the number of free bits is a word
+	 */
+	if (l2nb == BUDMIN)
+		return (!!word) << BUDMIN;
+
 	/* get the number of bits.
 	 */
 	nb = 1 << l2nb;
-- 
2.25.1

Re: [PATCH v3] jfs: UBSAN: shift-out-of-bounds in dbFindBits

Posted by Dave Kleikamp 3 weeks, 4 days ago

On 10/25/24 12:00PM, Matt Jan wrote:
> Return immediately if the needed free bits span a full word to avoid
> out-of-bounds shifting.

dbFindBits really shouldn't be called with l2nb == BUDMIN. Something in 
the dmap is corrupt and this patch just lets things continue as if 
nothing is wrong. I think a sanity check in dbAllocDmapLev where we can 
return -EIO makes more sense.

Shaggy

> 
> #syz test
> 
> Reported-by: syzbot+9e90a1c5eedb9dc4c6cc@syzkaller.appspotmail.com
> Signed-off-by: Matt Jan <zoo868e@gmail.com>
> ---
> Changes in v3: Return the result earlier instead of assert it
> Changes in v2: Test if the patch resolve the issue through syzbot and
> reference the reporter.
> 
>   fs/jfs/jfs_dmap.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 974ecf5e0d95..45b7a393b769 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -3012,6 +3012,11 @@ static int dbFindBits(u32 word, int l2nb)
>   	int bitno, nb;
>   	u32 mask;
>   
> +	/* return immediately if the number of free bits is a word
> +	 */
> +	if (l2nb == BUDMIN)
> +		return (!!word) << BUDMIN;
> +
>   	/* get the number of bits.
>   	 */
>   	nb = 1 << l2nb;

Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbFindBits (2)

Posted by syzbot 1 month ago

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+9e90a1c5eedb9dc4c6cc@syzkaller.appspotmail.com
Tested-by: syzbot+9e90a1c5eedb9dc4c6cc@syzkaller.appspotmail.com

Tested on:

commit:         ae90f6a6 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1274aebb980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=9e90a1c5eedb9dc4c6cc
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1254aebb980000

Note: testing is done by a robot and is best-effort only.