Bug 215657

Summary: UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c when mount and operate a corrupted image
Product: File System Reporter: Wenqing Liu (wenqingliu0120)
Component: f2fsAssignee: Default virtual assignee for f2fs (filesystem_f2fs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: chao, wenqingliu0120
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.17-rc4, 5.17-rc6 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc and .config

Description Wenqing Liu 2022-03-03 23:09:11 UTC
Created attachment 300527 [details]
poc and .config

- Overview 
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image

- Reproduce 
tested on kernel 5.17-rc4, 5.17-rc6

# mkdir test_crash
# cd test_crash 
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh f2fs 2

- Kernel dump
[   46.434454] loop0: detected capacity change from 0 to 131072
[   46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[   46.738319] ================================================================================
[   46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[   46.738475] index 231 is out of range for type 'unsigned int [2]'
[   46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[   46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   46.738551] Call Trace:
[   46.738556]  <TASK>
[   46.738563]  dump_stack_lvl+0x47/0x5c
[   46.738581]  ubsan_epilogue+0x5/0x50
[   46.738592]  __ubsan_handle_out_of_bounds+0x68/0x80
[   46.738604]  f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[   46.738819]  do_write_page+0xef/0x210 [f2fs]
[   46.738934]  f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[   46.739038]  __write_node_page+0x2b7/0x920 [f2fs]
[   46.739162]  f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[   46.739268]  ? __inode_wait_for_writeback+0xd1/0x120
[   46.739283]  ? iput+0xd6/0x390
[   46.739293]  f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[   46.739405]  kill_f2fs_super+0x125/0x150 [f2fs]
[   46.739507]  deactivate_locked_super+0x60/0xc0
[   46.739517]  deactivate_super+0x70/0xb0
[   46.739524]  cleanup_mnt+0x11a/0x200
[   46.739532]  __cleanup_mnt+0x16/0x20
[   46.739538]  task_work_run+0x67/0xa0
[   46.739547]  exit_to_user_mode_prepare+0x18c/0x1a0
[   46.739559]  syscall_exit_to_user_mode+0x26/0x40
[   46.739568]  do_syscall_64+0x46/0xb0
[   46.739584]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   46.739594] RIP: 0033:0x7f7b9d28a657
[   46.739602] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[   46.739608] RSP: 002b:00007ffd5f511d68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[   46.739616] RAX: 0000000000000000 RBX: 0000558790c51420 RCX: 00007f7b9d28a657
[   46.739620] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000558790c590b0
[   46.739623] RBP: 0000000000000000 R08: 0000558790c598a0 R09: 0000000000000004
[   46.739626] R10: 000000000000000b R11: 0000000000000246 R12: 0000558790c590b0
[   46.739630] R13: 00007f7b9d7ac8a4 R14: 0000558790c51600 R15: 0000000000000000
[   46.739637]  </TASK>
[   46.739711] ================================================================================
Comment 1 Chao Yu 2022-03-04 01:51:50 UTC
Hi Wenqing,

Thanks for your report.

I've posted a patch to fix this issue, could you please help to verify this?

https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-chao@kernel.org/T/#u
Comment 2 Wenqing Liu 2022-03-07 18:17:44 UTC
(In reply to Chao Yu from comment #1)
> Hi Wenqing,
> 
> Thanks for your report.
> 
> I've posted a patch to fix this issue, could you please help to verify this?
> 
> https://lore.kernel.org/linux-f2fs-devel/20220304014913.3966369-1-
> chao@kernel.org/T/#u

Hi, Chao,

Thanks for the fix, I tested it on 5.17-rc6 and the array-index-out-of-bounds wouldn't be triggered anymore.