UBSAN: array-index-out-of-bounds in /build/linux-D15vQj/linux-6.5.0/drivers/md/bcache/bset.c:1098:3
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
linux (Ubuntu) | Status tracked in Oracular | |||||
Jammy |
Invalid
|
Undecided
|
Unassigned | |||
Mantic |
Won't Fix
|
Undecided
|
Unassigned | |||
Noble |
Fix Committed
|
Medium
|
Unassigned | |||
Oracular |
Triaged
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Currently there are UBSAN warnings that show up when running bcache on jammy HWE, Mantic and noble. For now no side effects have been observed but such an issue could potentially cause a crash or corrupt data.
[Fix]
There is currently a fix upstream provided by the following patch:
* 3a861560ccb3 "bcache: fix variable length array abuse in btree_iter"
[Test Case]
1. Setup bcache on a jammy HWE kernel or mantic or noble machine. This can be done following the steps in this wiki: https:/
2. Restart the machine
3. After restarting the machine, the following UBSAN warnings and call traces can be seen in dmesg:
[ 3.824281] UBSAN: array-index-
[ 3.826338] index 4 is out of range for type 'btree_iter_set [4]'
[ 3.826812] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 3.827817] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-
[ 3.828835] Workqueue: events register_
[ 3.829429] Call Trace:
[ 3.830626] <TASK>
[ 3.831638] dump_stack_
[ 3.832227] dump_stack+
[ 3.832785] __ubsan_
[ 3.833357] bch_btree_
[ 3.834052] bch_btree_
[ 3.834653] ? mempool_
[ 3.835211] bch_btree_
[ 3.835832] ? __pfx_closure_
[ 3.836474] bch_btree_
[ 3.837161] ? __bch_btree_
[ 3.837838] ? __pfx_up_
[ 3.838739] bch_btree_
[ 3.844949] </TASK>
[ 4.029242] UBSAN: array-index-
[ 4.030496] index 14 is out of range for type 'btree_iter_set [4]'
[ 4.030930] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 4.031841] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-
[ 4.032650] Workqueue: events register_
[ 4.033149] Call Trace:
[ 4.033549] <TASK>
[ 4.033972] dump_stack_
[ 4.034418] dump_stack+
[ 4.034839] __ubsan_
[ 4.035279] btree_mergesort
[ 4.035730] ? __pfx_bch_
[ 4.036191] ? __pfx_bch_
[ 4.036691] __btree_
[ 4.037182] bch_btree_
[ 4.037674] bch_btree_
[ 4.038172] ? mempool_
[ 4.038617] bch_btree_
[ 4.039120] ? __pfx_closure_
[ 4.039659] bch_btree_
[ 4.040220] ? __bch_btree_
[ 4.040806] ? __pfx_up_
[ 4.041371] bch_btree_
[ 4.048339] </TASK>
[ 4.227653] UBSAN: array-index-
[ 4.228847] index 4 is out of range for type 'btree_iter_set [4]'
[ 4.229472] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 4.230680] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-
[ 4.231954] Workqueue: events register_
[ 4.232690] Call Trace:
[ 4.233327] <TASK>
[ 4.233935] dump_stack_
[ 4.234568] dump_stack+
[ 4.235219] __ubsan_
[ 4.235833] bch_extent_
[ 4.236524] ? __ubsan_
[ 4.237159] ? __pfx_bch_
[ 4.237839] btree_mergesort
[ 4.238823] ? __pfx_bch_
[ 4.239800] __btree_
[ 4.240880] bch_btree_
[ 4.243046] bch_btree_
[ 4.245223] ? mempool_
[ 4.246311] bch_btree_
[ 4.247410] ? __pfx_closure_
[ 4.248471] bch_btree_
[ 4.248959] ? __bch_btree_
[ 4.249454] ? __pfx_up_
[ 4.249904] bch_btree_
[ 4.255145] </TASK>
[ 4.257388] UBSAN: array-index-
[ 4.258429] index 14 is out of range for type 'btree_iter_set [4]'
[ 4.258964] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 4.260073] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-
[ 4.261188] Workqueue: events register_
[ 4.261811] Call Trace:
[ 4.262374] <TASK>
[ 4.262912] dump_stack_
[ 4.263502] dump_stack+
[ 4.264042] __ubsan_
[ 4.264605] bch_extent_
[ 4.265218] ? __ubsan_
[ 4.265821] ? __pfx_bch_
[ 4.266514] btree_mergesort
[ 4.267234] ? __pfx_bch_
[ 4.267882] __btree_
[ 4.268508] bch_btree_
[ 4.269144] bch_btree_
[ 4.269825] ? mempool_
[ 4.270489] bch_btree_
[ 4.271243] ? __pfx_closure_
[ 4.272293] bch_btree_
[ 4.273260] ? __bch_btree_
[ 4.274182] ? __pfx_up_
[ 4.274973] bch_btree_
[ 4.284807] </TASK>
[ 4.286129] UBSAN: array-index-
[ 4.286791] index 4 is out of range for type 'btree_iter_set [4]'
[ 4.287231] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 4.288033] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-
[ 4.288863] Workqueue: events register_
[ 4.289340] Call Trace:
[ 4.289753] <TASK>
[ 4.290168] dump_stack_
[ 4.290581] dump_stack+
[ 4.290984] __ubsan_
[ 4.291432] bch_extent_
[ 4.291882] ? __ubsan_
[ 4.292309] ? __pfx_bch_
[ 4.292764] btree_mergesort
[ 4.293225] ? __pfx_bch_
[ 4.293683] __btree_
[ 4.294153] bch_btree_
[ 4.294631] bch_btree_
[ 4.295175] ? mempool_
[ 4.295671] bch_btree_
[ 4.296257] ? __pfx_closure_
[ 4.296834] bch_btree_
[ 4.297446] ? __bch_btree_
[ 4.298087] ? __pfx_up_
[ 4.298678] bch_btree_
[ 4.306037] </TASK>
[Where problems could occur]
-The patch modifies the way bcache allocates space to the btree iterator. The main problems that could occur are different UBSAN warnings showing up that could possibly trigger a crash much easier than the current array index-out-of-bounds being observed.
Thank you @illwieckz for the original bug report
[original description]
Since I upgraded from lunar to mantic I get a load of those errors (41 on a fresh boot) in dmesg:
```
[ 4.277343] UBSAN: array-index-
[ 4.277728] index 4 is out of range for type 'btree_iter_set [4]'
[ 4.277925] CPU: 7 PID: 247 Comm: kworker/7:1 Not tainted 6.5.0-9-generic #9-Ubuntu
[ 4.278132] Hardware name: Default string Default string/Default string, BIOS WRX80SU8-F6 06/08/2023
[ 4.278531] Workqueue: events register_
[ 4.278754] Call Trace:
[ 4.278949] <TASK>
[ 4.279143] dump_stack_
[ 4.279337] dump_stack+
[ 4.279526] __ubsan_
[ 4.279721] bch_btree_
[ 4.279929] bch_btree_
[ 4.280142] bch_btree_
[ 4.280349] ? __pfx_closure_
[ 4.280557] bch_btree_
[ 4.280764] ? __bch_btree_
[ 4.280975] ? __pfx_up_
[ 4.281170] bch_btree_
[ 4.281375] run_cache_
[ 4.281578] ? srso_return_
[ 4.281773] register_
[ 4.281984] register_
[ 4.282187] register_
[ 4.282387] process_
[ 4.282573] worker_
[ 4.282753] ? srso_return_
[ 4.282931] ? _raw_spin_
[ 4.283113] ? __pfx_worker_
[ 4.283286] kthread+0xf2/0x120
[ 4.283458] ? __pfx_kthread+
[ 4.283631] ret_from_
[ 4.283800] ? __pfx_kthread+
[ 4.283972] ret_from_
[ 4.284143] </TASK>
```
This system has 4 bcache backing devices and 4 bcache cache devices, though they are not associated for now and caching is disabled. It was already like that when I upgraded, so the kernel only uses the backing code, not the caching one.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: linux-image-
ProcVersionSign
Uname: Linux 6.5.0-9-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: GNOME
Date: Sat Oct 14 23:16:33 2023
HibernationDevice: RESUME=none
MachineType: {report[
ProcFB:
0 amdgpudrmfb
1 astdrmfb
ProcKernelCmdLine: BOOT_IMAGE=
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageV
linux-
linux-
linux-firmware 20230919.
RfKill:
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 06/08/2023
dmi.bios.release: 5.23
dmi.bios.vendor: American Megatrends International, LLC.
dmi.bios.version: WRX80SU8-F6
dmi.board.
dmi.board.name: Default string
dmi.board.vendor: Default string
dmi.board.version: Default string
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: Default string
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.family: Default string
dmi.product.name: Default string
dmi.product.sku: Default string
dmi.product.
dmi.sys.vendor: Default string
modified.
mtime.conffile.
tags: | added: kernel-flexible-array |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Noble): | |
status: | Confirmed → Fix Committed |
This change was made by a bot.