[merged mm-nonmm-stable] ocfs2-fix-shift-out-of-bounds-ubsan-bug-in-ocfs2_verify_volume.patch removed from -mm tree

Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> · Sun, 01 Sep 2024 20:47:13 -0700

The quilt patch titled
     Subject: ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()
has been removed from the -mm tree.  Its filename was
     ocfs2-fix-shift-out-of-bounds-ubsan-bug-in-ocfs2_verify_volume.patch

This patch was dropped because it was merged into the mm-nonmm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------
From: qasdev <qasdev00@xxxxxxxxx>
Subject: ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()
Date: Tue, 20 Aug 2024 02:22:09 +0100

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function, identified by UBSAN.  The bug was
triggered by an invalid s_clustersize_bits value (e.g., 1548), which
caused the expression "1 <<
le32_to_cpu(di->id2.i_super.s_clustersize_bits)" to exceed the limits of a
32-bit integer, leading to an out-of-bounds shift.

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Signed-off-by: Qasim Ijaz <qasdev00@xxxxxxxxx>
Reported-by: syzbot <syzbot+f3fff775402751ebb471@xxxxxxxxxxxxxxxxxxxxxxxxx>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@xxxxxxxxxxxxxxxxxxxxxxxxx>
Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
Cc: Mark Fasheh <mark@xxxxxxxxxx>
Cc: Joel Becker <jlbec@xxxxxxxxxxxx>
Cc: Junxiao Bi <junxiao.bi@xxxxxxxxxx>
Cc: Changwei Ge <gechangwei@xxxxxxx>
Cc: Gang He <ghe@xxxxxxxx>
Cc: Jun Piao <piaojun@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/ocfs2/super.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/ocfs2/super.c~ocfs2-fix-shift-out-of-bounds-ubsan-bug-in-ocfs2_verify_volume
+++ a/fs/ocfs2/super.c
@@ -2357,8 +2357,8 @@ static int ocfs2_verify_volume(struct oc
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
_

Patches currently in -mm which might be from qasdev00@xxxxxxxxx are









