syzbot

 sign-in | mailing list | source | docs
🐞 Open [724]
🐞 Fixed [119]
🐞 Invalid [756]
Missing Backports [75]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

UBSAN: array-index-out-of-bounds in dtReadFirst

Status: upstream: reported C repro on 2024/11/25 10:09
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+c91d8e1bcb467d1a75ff@syzkaller.appspotmail.com
First crash: 179d, last: 15d
Fix bisection: failed (error log, bisect log)
  
Bug presence (2)
Date Name Commit Repro Result
2024/11/26 linux-6.1.y (ToT) e4d90d63d385 C [report] UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 upstream (ToT) 7eef7e306d3c C Didn't crash
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: array-index-out-of-bounds in dtReadFirst jfs C error 200 159d 387d 28/28 fixed on 2024/12/16 09:50
linux-5.15 UBSAN: array-index-out-of-bounds in dtReadFirst origin:upstream C error 32 11d 389d 0/3 upstream: reported C repro on 2024/04/28 12:32
upstream UBSAN: array-index-out-of-bounds in dtReadFirst (2) jfs C error 119 24d 153d 27/28 upstream: reported C repro on 2024/12/21 07:08
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/05/15 18:02 24m fix candidate upstream error job log
2025/03/30 04:03 14m bisect fix linux-6.1.y error job log

Sample crash report:
ERROR: (device loop0): remounting filesystem as read-only
UFO tlock:0x00000000558ad818
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
index 237 is out of range for type 'struct dtslot[128]'
CPU: 0 PID: 4292 Comm: syz-executor329 Not tainted 6.1.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282
 dtReadFirst+0x4dc/0xa1c fs/jfs/jfs_dtree.c:3096
 dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
 jfs_readdir+0x7a0/0x3030 fs/jfs/jfs_dtree.c:2862
 iterate_dir+0x1f4/0x4ec fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
================================================================================
MetaData crosses page boundary!!
lblock = 6300000010, size  = -820051968
CPU: 0 PID: 4292 Comm: syz-executor329 Not tainted 6.1.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 __get_metapage+0xb48/0x1050 fs/jfs/jfs_metapage.c:596
 dtReadFirst+0xc8/0xa1c fs/jfs/jfs_dtree.c:3066
 dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
 jfs_readdir+0x7a0/0x3030 fs/jfs/jfs_dtree.c:2862
 iterate_dir+0x1f4/0x4ec fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
bread failed!
jfs_readdir: unexpected rc = -5 from dtReadNext

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/09 04:19 linux-6.1.y 3dfebb87d7eb a775275d .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 18:30 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 17:06 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 15:41 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 14:19 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 13:20 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 11:42 linux-6.1.y e4d90d63d385 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/09 19:14 linux-6.1.y e4d90d63d385 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:26 linux-6.1.y e4d90d63d385 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:24 linux-6.1.y e4d90d63d385 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 08:15 linux-6.1.y e4d90d63d385 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 08:15 linux-6.1.y e4d90d63d385 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/04/09 04:00 linux-6.1.y 3dfebb87d7eb a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/04/09 03:58 linux-6.1.y 3dfebb87d7eb a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:21 linux-6.1.y e4d90d63d385 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:20 linux-6.1.y e4d90d63d385 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/25 10:08 linux-6.1.y e4d90d63d385 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/05 07:03 linux-6.1.y 0cbb5f65e52f 5896748e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in dtReadFirst
2025/05/08 08:46 linux-6.1.y ac7079a42ea5 dbf35fa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/04/20 10:26 linux-6.1.y 420102835862 2a20f901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/02/25 08:50 linux-6.1.y 3a8358583626 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/02/16 23:47 linux-6.1.y 0cbb5f65e52f 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in dtReadFirst
2025/01/07 08:04 linux-6.1.y 7dc732d24ff7 f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in dtReadFirst
* Struck through repros no longer work on HEAD.