https://bugzilla.kernel.org/show_bug.cgi?id=203861
--- Comment #5 from Attila ([email protected]) --- Created attachment 310083 --> https://bugzilla.kernel.org/attachment.cgi?id=310083&action=edit Current-master fsck.f2fs reproducer package for Bug 203861: ASAN/UBSAN log, evidence card, concept fix, mount.c context, and minimized crash artifacts showing SIGFPE in sanity_check_raw_super() with s I can reproduce a related fsck.f2fs divide-by-zero on current f2fs-tools master, so this looks like either an incomplete fix for Bug 203861 or a regression in a different validation path. This is not the same top frame as the original 2019 report. The original report shows the crash later through build_curseg() / GET_ZONE_FROM_SEGNO() when sbi->secs_per_zone is 0. My current reproducer reaches an earlier path in sanity_check_raw_super(): - component: f2fs-tools userspace fsck.f2fs - function: sanity_check_raw_super() - file/line: fsck/mount.c:1130:49 in my current-master build - corrupted fields: segs_per_sec = 1, secs_per_zone = 0 - derived value: segs_per_zone = segs_per_sec * secs_per_zone = 0 - observed result: UBSan division-by-zero followed by ASan SIGFPE Observed sanitizer evidence: mount.c:1130:33: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mount.c:1130:33 AddressSanitizer:DEADLYSIGNAL ERROR: AddressSanitizer: FPE #0 in sanity_check_raw_super fsck/mount.c:1130:49 #1 in validate_super_block fsck/mount.c:1195:7 #2 in f2fs_do_mount fsck/mount.c:4088:8 #3 in main fsck/main.c:1326:8 The root cause appears to be that secs_per_zone == 0 is still rejected too late on this path. segs_per_zone is derived from untrusted superblock fields and can be used as a divisor before secs_per_zone / derived segs_per_zone are validated. I am attaching a current repro package with: - ASAN/UBSAN log - evidence card - concept fix - mount.c context - minimized crash artifacts Security impact claimed: local/tooling denial-of-service only. I am not claiming RCE, privilege escalation, kernel compromise, or production Android reachability. If maintainers prefer a new bug instead of reopening/commenting on this resolved one, I can file a new Bugzilla issue explicitly referencing Bug 203861 as the related/incomplete-fix ancestor. -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
