In the Linux kernel, the following vulnerability has been resolved:
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
Syzkaller reported the following issue:
UBSAN: array-index-out-of-bounds in fs/jfs/jfsdmap.c:2867:6 index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2d0 lib/dumpstack.c:106 ubsanepilogue lib/ubsan.c:217 [inline] _ubsanhandleoutofbounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfsdmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfsdmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfsdmap.c:2331 dbFreeDmap fs/jfs/jfsdmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfsdmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfstxnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfstxnmgr.c:2664 [inline] jfslazycommit+0x47a/0xb70 fs/jfs/jfstxnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 retfromfork+0x48/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:304
Kernel panic - not syncing: UBSAN: paniconwarn set ... CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2d0 lib/dumpstack.c:106 panic+0x30f/0x770 kernel/panic.c:340 checkpaniconwarn+0x82/0xa0 kernel/panic.c:236 ubsanepilogue lib/ubsan.c:223 [inline] _ubsanhandleoutofbounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfsdmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfsdmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfsdmap.c:2331 dbFreeDmap fs/jfs/jfsdmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfsdmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfstxnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfstxnmgr.c:2664 [inline] jfslazycommit+0x47a/0xb70 fs/jfs/jfstxnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 retfromfork+0x48/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds..
The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue.
Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama's patch at use WARNONONCE for lack of a cleaner option.
The patch is tested via syzbot.