Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250206173544.GA6578@openwall.com>
Date: Thu, 6 Feb 2025 18:35:44 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: ffhgfv <744439878@...com>, jianzhou zhao <xnxc22xnxc22@...com>,
	xingwei lee <xrivendell7@...il.com>, mark@...heh.com,
	jlbec@...lplan.org, joseph.qi@...ux.alibaba.com
Subject: Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0

Hi,

The below was misreported to lots of mailing lists at once on Jan 23,
but didn't actually get to the public lists (was presumably
spam-filtered), so I allowed for the maximum of 14 days of "embargo" on
linux-distros.  However, no one made any use of the "embargo", as far as
I can tell.

The message was also badly misformatted.  What I include below is my
repaired version of the message - HTML entities converted back to their
corresponding characters, the attached reproducer converted to a Unix
text file with:

iconv -cf ucs-2 < repro.c.txt | tr -d '\r' > repro.c

I just learned today that a similar message had also been sent to other
public lists on Jan 19, so granting the "embargo" was inappropriate:

https://lore.kernel.org/all/tencent_A3FB116603B2596D123C55CCC8DC2E6E1F07@qq.com/

I am posting this to oss-security for consistency and transparency,
because it was on linux-distros.  I don't know whether this is actually
a security issue or not.

A couple of days ago, I tried asking ffhgfv via private e-mail:

"Also, can you please clarify what security boundary is crossed by the
PoC, if any?  In other words, what privileges are required for running
the PoC and does the bug allow for exceeding what's normally possible
given those privileges?"

to which I got no reply yet.

Even though this wasn't actually on the proper upstream list
ocfs2-devel, the subsystem maintainers were CC'ed on many of these
messages.  I am unaware of any replies from them.  I'm going to forward
this message to ocfs2-devel shortly (not CC'ing here so that it's a
separate thread there, with any replies not CC'ed to oss-security).

ffhgfv and others - for uninvestigated or non-security-critical Linux
kernel bugs, I second Greg KH's advice from the thread linked above:

"Please report this to the proper developers and mailing list as found by
the scripts/get_maintainer.pl tool."

Way too many Linux kernel bugs are being found, including many by
syzbot, and there's rarely a good reason to single out a bug for
handling it as a security vulnerability under embargo.  Only when you
have specific reasons to claim that it's a security vulnerability should
you report the bug to security at kernel org.  And only once there's a
fix, should you _maybe_ report it to linux-distros (if the fix is still
not public) _or_ oss-security (otherwise).

Alexander

----- Forwarded message from ffhgfv <744439878@...com> -----

From: "ffhgfv" <744439878@...com>
To: "security"
 "linux-distros"
 "oss-security"
Subject: [vs-plain] Kernel bug found in the latest upstream relegated to ocfs2
CC: "mark" <mark@...heh.com>,
 "jlbec" <jlbec@...lplan.org>,
 "joseph.qi" <joseph.qi@...ux.alibaba.com>,
 "ocfs2-devel" <ocfs2-devel@...ts.linux.dev>,
 "linux-kernel" <linux-kernel@...r.kernel.org>,
 "xrivendell7" <xrivendell7@...il.com>
Date: Thu, 23 Jan 2025 12:05:24 +0800

Hello, I found a bug titled ?? kernel BUG in ocfs2_refcount_cal_cow_clusters?? with modified syzkaller in the lasted upstream relegated to oracle cluster file system.
If you fix this issue, please add the following tag to the commit:
Reported-by:jianzhou zhao <xnxc22xnxc22@...com> , xingwei lee <xrivendell7@...il.com>


------------[ cut here ]------------


[   81.294928][ T9408] kernel BUG at fs/ocfs2/refcounttree.c:2678!
[   81.296140][ T9408] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
[   81.297446][ T9408] CPU: 0 UID: 0 PID: 9408 Comm: poc Not tainted 6.13.0 #1
[   81.300604][ T9408] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   81.302921][ T9408] RIP: 0010:ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.304727][ T9408] Code: 38 d0 7c 0c 84 d2 74 08 48 89 f7 e8 5a e7 7e fe 48 8b 44 24 08 44 8b 64 24 28 89 18 41 29 dc e9 72 f7 ff ff e8 b1 9e 1d fe 90 <0f> 0b ed
[   81.308312][ T9408] RSP: 0018:ffffc900136ef908 EFLAGS: 00010293
[   81.309311][ T9408] RAX: 0000000000000000 RBX: ffff888011ba94d0 RCX: ffffffff837a87a9
[   81.310697][ T9408] RDX: ffff888045e79cc0 RSI: ffffffff837a913f RDI: 0000000000000001
[   81.312024][ T9408] RBP: 0000000000000000 R08: 00000000ffffffff R09: ffffc900136efaf8
[   81.313524][ T9408] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[   81.315066][ T9408] R13: 0000000000000000 R14: ffff888011ba94c0 R15: 0000000000000001
[   81.316576][ T9408] FS:  0000000033bd23c0(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000
[   81.318582][ T9408] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.320052][ T9408] CR2: 000000002000d000 CR3: 000000004fd34000 CR4: 00000000000006f0
[   81.321222][ T9408] Call Trace:
[   81.321777][ T9408]  <TASK>
[   81.322325][ T9408]  ? die+0x32/0x90
[   81.323177][ T9408]  ? do_trap+0x232/0x430
[   81.323867][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.324870][ T9408]  ? do_error_trap+0x107/0x240
[   81.325641][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.326731][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.327754][ T9408]  ? handle_invalid_op+0x34/0x40
[   81.328779][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.330053][ T9408]  ? exc_invalid_op+0x5d/0x80
[   81.331263][ T9408]  ? asm_exc_invalid_op+0x1a/0x20
[   81.332468][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0x469/0x14c0
[   81.333701][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xdff/0x14c0
[   81.334841][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.336476][ T9408]  ? ocfs2_refcount_cal_cow_clusters+0xdff/0x14c0
[   81.337674][ T9408]  ? __pfx_ocfs2_get_clusters+0x10/0x10
[   81.339205][ T9408]  ? __pfx___lock_acquire+0x10/0x10
[   81.340459][ T9408]  ? __pfx_ocfs2_refcount_cal_cow_clusters+0x10/0x10
[   81.342272][ T9408]  ocfs2_refcount_cow+0x29c/0xef0
[   81.343743][ T9408]  ? rcu_is_watching+0x12/0xc0
[   81.345347][ T9408]  ? trace_lock_acquire+0x14e/0x200
[   81.347005][ T9408]  ? __pfx_ocfs2_refcount_cow+0x10/0x10
[   81.347835][ T9408]  ? lock_acquire+0x32/0xc0
[   81.348442][ T9408]  ? down_write+0x14e/0x200
[   81.349092][ T9408]  ? __pfx_down_write+0x10/0x10
[   81.349782][ T9408]  ? ocfs2_inode_unlock+0x8d/0x170
[   81.350474][ T9408]  ocfs2_file_write_iter+0x1ac6/0x22f0
[   81.351371][ T9408]  ? __pfx_ocfs2_file_write_iter+0x10/0x10
[   81.352465][ T9408]  ? rcu_is_watching+0x12/0xc0
[   81.353329][ T9408]  ? trace_lock_acquire+0x14e/0x200
[   81.354293][ T9408]  vfs_write+0xbff/0x10d0
[   81.355091][ T9408]  ? __pfx_ocfs2_file_write_iter+0x10/0x10
[   81.356051][ T9408]  ? __pfx_vfs_write+0x10/0x10
[   81.356959][ T9408]  ? rcu_is_watching+0x12/0xc0
[   81.357835][ T9408]  ksys_write+0x122/0x240
[   81.359060][ T9408]  ? __pfx_ksys_write+0x10/0x10
[   81.359924][ T9408]  do_syscall_64+0xcb/0x250
[   81.360822][ T9408]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.361842][ T9408] RIP: 0033:0x45377d
[   81.362967][ T9408] Code: c3 e8 27 21 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 08
[   81.367066][ T9408] RSP: 002b:00007ffef72cf198 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   81.368683][ T9408] RAX: ffffffffffffffda RBX: 00007ffef72cf408 RCX: 000000000045377d
[   81.370422][ T9408] RDX: 0000000000000001 RSI: 0000000020000280 RDI: 0000000000000009
[   81.372352][ T9408] RBP: 00007ffef72cf1b0 R08: 00007ffef72cf1b0 R09: 00007ffef72cf1b0
[   81.373797][ T9408] R10: 00007ffef72cf1b0 R11: 0000000000000246 R12: 0000000000000001
[   81.375889][ T9408] R13: 00007ffef72cf3f8 R14: 00000000004d4710 R15: 0000000000000001
[   81.377584][ T9408]  </TASK>
[   81.378113][ T9408] Modules linked in:
[   81.379107][ T9408] ---[ end trace 0000000000000000 ]---
[   81.380344][ T9408] RIP: 0010:ocfs2_refcount_cal_cow_clusters+0xe00/0x14c0
[   81.381719][ T9408] Code: 38 d0 7c 0c 84 d2 74 08 48 89 f7 e8 5a e7 7e fe 48 8b 44 24 08 44 8b 64 24 28 89 18 41 29 dc e9 72 f7 ff ff e8 b1 9e 1d fe 90 <0f> 0b ed
[   81.384543][ T9408] RSP: 0018:ffffc900136ef908 EFLAGS: 00010293
[   81.385617][ T9408] RAX: 0000000000000000 RBX: ffff888011ba94d0 RCX: ffffffff837a87a9
[   81.387057][ T9408] RDX: ffff888045e79cc0 RSI: ffffffff837a913f RDI: 0000000000000001
[   81.389023][ T9408] RBP: 0000000000000000 R08: 00000000ffffffff R09: ffffc900136efaf8
[   81.390455][ T9408] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[   81.391846][ T9408] R13: 0000000000000000 R14: ffff888011ba94c0 R15: 0000000000000001
[   81.393398][ T9408] FS:  0000000033bd23c0(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000
[   81.395131][ T9408] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.397558][ T9408] CR2: 000000002000d000 CR3: 000000004fd34000 CR4: 00000000000006f0
[   81.399091][ T9408] Kernel panic - not syncing: Fatal exception
[   81.401343][ T9408] Kernel Offset: disabled
[   81.402051][ T9408] Rebooting in 86400 seconds..






==================================================================

I use the same kernel as syzbot instance
upstream:  c4b9570cfb63501638db720f3bee9f6dfd044b82

Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=899f38f532606c8e
Complier: gcc 11.4.0
The repro is shown in annex repro.c.txt


I hope it helps.
Best regards
Jianzhou Zhao,
Xingwei Lee.


----- End forwarded message -----

View attachment "repro.c" of type "text/x-c" (101491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.