diff mbox series

[v2] ocfs2: Fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()

Message ID ZsPvwQAXd5R/jNY+@hostname (mailing list archive)
State New
Headers show
Series [v2] ocfs2: Fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume() | expand

Commit Message

qasdev Aug. 20, 2024, 1:22 a.m. UTC
This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function, identified by UBSAN. The bug was triggered
by an invalid s_clustersize_bits value (e.g., 1548), which caused the
expression "1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)"
to exceed the limits of a 32-bit integer,
leading to an out-of-bounds shift.

Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Joseph Qi Aug. 20, 2024, 1:27 a.m. UTC | #1
On 8/20/24 9:22 AM, qasdev wrote:
> This patch addresses a shift-out-of-bounds error in the
> ocfs2_verify_volume() function, identified by UBSAN. The bug was triggered
> by an invalid s_clustersize_bits value (e.g., 1548), which caused the
> expression "1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)"
> to exceed the limits of a 32-bit integer,
> leading to an out-of-bounds shift.
> 
> Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
> Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>

Looks fine.
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> ---
>  fs/ocfs2/super.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
> index afee70125ae3..b704983b2112 100644
> --- a/fs/ocfs2/super.c
> +++ b/fs/ocfs2/super.c
> @@ -2357,8 +2357,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
>  			     (unsigned long long)bh->b_blocknr);
>  		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
>  			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
> -			mlog(ML_ERROR, "bad cluster size found: %u\n",
> -			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
> +			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
> +			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
>  		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
>  			mlog(ML_ERROR, "bad root_blkno: 0\n");
>  		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
diff mbox series

Patch

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index afee70125ae3..b704983b2112 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2357,8 +2357,8 @@  static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {