From nobody Mon Jun  8 22:56:59 2026
Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com
 [209.85.128.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31E642765E2
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 01:50:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.128.172
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779760257; cv=pass;
 b=RWsk1SMn2jTYq52w9zg2GKs9hmI647sEx1nbxEmOWNBWhcj8/QnQUfTvAHvp48noJYxWh7cDzf9Z6vogrgKpcIMlpHDGGuJnoLwn+SMETBWZtoiwE2VlugDvfgXO4qlmhdcsRGu+PmBL5VjO9uX4o5L2oXrUSy2UBILSXDbnxKY=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779760257; c=relaxed/simple;
	bh=tv2fBAo/a9jI89//PfpqY8hJrfzCJnbtQ8rBW0WCpzI=;
	h=From:MIME-Version:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=LxoBzl/wWmAUjVncREq6MxXsR8o6k+q7aZnbAZ1uqw+VVeh64elb41UZ+B/OUPM779mLFLtRJ8hnC6fP44uIKWhsuTZ2t9W/ocbsnwz7w2tvUPI/2CTa8JdwYipLOxaO9wt2MYVIOOyiGwXaZ8hRngHRHIvy6o0GVtdOBy9+l2o=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu;
 spf=pass smtp.mailfrom=berkeley.edu;
 dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b=axtXTDnW; arc=pass smtp.client-ip=209.85.128.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b="axtXTDnW"
Received: by mail-yw1-f172.google.com with SMTP id
 00721157ae682-7cfd0d8eb09so65426377b3.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 18:50:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779760255; cv=none;
        d=google.com; s=arc-20240605;
        b=fkCWdgWWPcxrGiAvLPZAlWqvVJxnnm3ZgoA/5SVO5Ytt64LYS0c8yCho7tDQdoz659
         dMyopWfQi1A+jO67UYVm2RTd/dPJQuYTvEQthk6nArtizCGwg64xP693+IElNOx7HAEt
         F8fNeVeCwO1T7Lc/mvfOoVx1uzSOeM9jlrhUh5q/nRflcM8SoKps4eC6M11om3bIO8OT
         /nhQQdBy3Vr4wzTdqTvEOO9OWKaGjodl1rR9Tl2OFX3NHSjPG/O3eh7KsjUKz0TwFb1I
         6wOpf/EDKZuc4pxL/4U92ZqmXrgUM74Z96lJ6eMER5/VPzs9roRwhXeC8OiZPqW0aQQk
         SOng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:mime-version:from:dkim-signature;
        bh=Ova6KXdr/7RQ8ArmdPVEgophORIkUIhVHsjAuANI8yk=;
        fh=gOCsf3ZdPYCyr5JqWS7jOYInTQFBpYyO7pK8Olur2JM=;
        b=TPf22eUMaVFlfGZ2asrj9MkcAJm02sXCrJH8RHzo40mQQtLRF0Ksssm5aem0u1+Y00
         KAlai3NhTU1TpFzzXmgzAmM+avQ4uHyB4ysre77Y3rhgN1rCIS0sXrrcpHrWhyA2kgtl
         YH8VhANggX1R1+JbHCfz0/y11eGA3+s5a3aTE6d8uRryDETKBskgZi5A7C3TOyI4ngXx
         s7OUHC0sk5jUeQjqoRMVecWy7jmeqpbomOrpXEdYgOW62xD+bY1OuQTz9EItyBsVnSO9
         s0+mMNzjU1PpuCLovd31frHe9EtrM+FBuK3OkS+vY1BtbXMiXLvjhMIKZp1i3gh36c/Y
         rgEA==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=berkeley.edu; s=google; t=1779760255; x=1780365055;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:mime-version:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Ova6KXdr/7RQ8ArmdPVEgophORIkUIhVHsjAuANI8yk=;
        b=axtXTDnWo92+1DeudiQ6c6g0qr7OWLDjDj7DXPNTbsyTjO1J9Zd/8cMTwzjM56msd0
         I73YKSmT5Ggdd3fK9RhXmhjAyhIEMeP4Y0Wt9f+NIfkxDpDux3WJYCMOzDKEkc72AgLN
         zHQhus36rbX1b+oqFuwCSmYHqDbzIMP2E7+RNSH+ByNHSmK4gUvZg9aAbU0rMtA1J1RC
         MsjCAv8zR6bVvCik9dVeWuWiCFGwCsCFDDeGWvIVUyBZhKEM7GSmafY8yjPYU+WdxOt4
         QKmde+6zKUa5ZK3/ar896PkFc/f76O380cPggQ5pLghwq4Gq6EyIee2dU2w8cUCcE5V6
         pRTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779760255; x=1780365055;
        h=cc:to:subject:message-id:date:mime-version:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Ova6KXdr/7RQ8ArmdPVEgophORIkUIhVHsjAuANI8yk=;
        b=pZ9xGmTmkIk0YeEMSGB+I46mwwh2pjiVfxf7Ym8wtaiXIpZaL1iWaPgPYh8rnUMlBj
         CJLUEwZu9dY9G44ODaADDjjDaWWL1C+qamduyQbr5/pfcHaOZ/q9QhixxbWaTBmJHc9R
         trBz+acExjyk7qHXjLTVbgY3pQ7uNdFOW0Wp3LS42GYPZceKGkVJfUCONmqEuBzdlGU3
         NanQ0UgW+Ga7fJZbcCBjjfKgVmVWxNtnCeVEnUpZS5LKn4OhBJIE1DA0u3k9UP6lTSSx
         Lyq69U8SGnz3XQJ9hBFlMSprZwbkNjsMhkk50GDO9QXbEncixF5K6vuVrCJYEMN42uVO
         /MLw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+nNs3E884fBb7FsuCSJe+tnVgfdRT61MDWkbDhUFj7Uk8r5IuNDz2WwxgEyUB1fw+y5PX6pqaTkwZya2k=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy8n8hCfhS5Gtx71ZkwNIai1EEeWxcfG5V1xDMLvb9v3Q1fOtea
	t/5nTSKV80MMjluMXnDZcHna/YMv9eiTtoiVEMuz030A+jT2u7CYVyk5flgSRZlVGGGiLwxjkDB
	mBI8FUQx/LVtCd/2pnkivabAiXo2seJUN3F6E7Km9y/koAa3M4MQ=
X-Gm-Gg: Acq92OHj0jchQ9SR+pkRnzhx0KJaUD9fhzuS7vOvegSsip7nCfBoYN+Ub1M1KFDKgUb
	w0tsBKZpy4g6Lm1Zh08c4i72OKoW1n0ZM6YeFRybmTXBxohdRRodkOXmSve3dgBBIadUfcrsYrq
	Ut6XVGnnjMtwg+5v8Sw47T7A7CtlXdRUmhvRreRrUEHvM109k9h4oxNuugfFwSZSgK8nQTHnl5A
	e2MQKZJbJjOy4AysfxXnrJLbeJQIicuVpCdWxsvgfMrKMu5mqA7SgkWvqJeK5m1ohaphg+5l/ii
	p4d25F49R37P/GYrE0/W3+JMI9ye3s4=
X-Received: by 2002:a05:690c:c232:b0:7ba:99bb:d4e7 with SMTP id
 00721157ae682-7d337db1d24mr193135397b3.8.1779760253992; Mon, 25 May 2026
 18:50:53 -0700 (PDT)
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 18:50:53 -0700
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 18:50:53 -0700
From: Farhad Alemi <farhad.alemi@berkeley.edu>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Date: Mon, 25 May 2026 18:50:53 -0700
X-Gm-Features: AVHnY4LzLvWw4BbFUsiorst_mzO2yPUHFS6khUThRsYsAH3NOmLNngb6pS9MBm8
Message-ID: 
 <CA+0ovChYx8x_5oiu+QgiypfR8eJo4R8j1veYpheL9paW2T7-UQ@mail.gmail.com>
Subject: [PATCH] ufs: reject inconsistent on-disk fshift
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Kees Cook <kees@kernel.org>, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ufs_fill_super() reads uspi->s_fshift directly from the on-disk
superblock (usb1->fs_fshift) and later uses it as the shift exponent in
ubh_bread_uspi(), without checking that it matches the already-validated
s_fsize. The s_fsize/s_bsize range and power-of-two checks at the same
site leave s_fshift unverified, so a crafted image can supply a valid
s_fsize and an out-of-range s_fshift, take the "goto again" path back
to the second ubh_bread_uspi() call, and trigger UBSAN on the
size >> uspi->s_fshift expression:

  UBSAN: shift-out-of-bounds in fs/ufs/util.c:55:15
  shift exponent 8454156 is too large for 64-bit type 'u64'
  Call Trace:
   __ubsan_handle_shift_out_of_bounds+0x385/0x410 lib/ubsan.c:494
   ubh_bread_uspi+0x37e/0x390 fs/ufs/util.c:55
   ufs_fill_super+0x1412/0x75c0 fs/ufs/super.c:936
   get_tree_bdev_flags+0x436/0x500 fs/super.c:1698
   vfs_get_tree+0x97/0x2b0 fs/super.c:1758
   do_new_mount+0x32e/0xa50 fs/namespace.c:3728
   __se_sys_mount+0x322/0x420 fs/namespace.c:4216

With panic_on_warn this is promoted to a kernel panic. Trigger requires
the ability to mount a crafted image (CAP_SYS_ADMIN or equivalent).

s_fshift and s_fsize encode the same value redundantly: s_fshift is
ilog2(s_fsize). Since s_fsize is already validated to be a power of two
in [512, 4096] just above, require s_fshift to equal ilog2(s_fsize)
and reject the image otherwise. This also protects the many other
shifts that consume uspi->s_fshift across fs/ufs/.

Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Signed-off-by: Farhad Alemi <farhad.alemi@berkeley.edu>
---
 fs/ufs/super.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index c4831a8b9b3f..dc3b4956faeb 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -1018,6 +1018,11 @@ static int ufs_fill_super(struct super_block
*sb, struct fs_context *fc)
 		       __func__, uspi->s_fsize);
 		goto failed;
 	}
+	if (uspi->s_fshift !=3D ilog2(uspi->s_fsize)) {
+		pr_err("%s(): inconsistent fshift %u for fsize %u\n",
+		       __func__, uspi->s_fshift, uspi->s_fsize);
+		goto failed;
+	}
 	if (!is_power_of_2(uspi->s_bsize)) {
 		pr_err("%s(): block size %u is not a power of 2\n",
 		       __func__, uspi->s_bsize);
--=20
2.43.0