lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 16 Jun 2018 20:04:22 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 200069] BUG() triggered in start_this_handle()
 (jbd2/transaction.c) when operating and umounting a crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=200069

Theodore Tso (tytso@....edu) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tytso@....edu

--- Comment #4 from Theodore Tso (tytso@....edu) ---
OK, what's going on with this image is the following:

* The s_first_ino is 3 --- it's supposed to be 11, and should never be less
than that number.  The kernel currently doesn't check to make sure value of
s_first_ino is valid.  This is a recipe for disaster, but what's really
triggering the problem is....

* The directory entry for foo/bar/baz points at inode #8 -- the journal inode.

So when the workload unlinks foo/bar/baz, this drops the refcount to zero, and
when we unmount the file system and release the journal inode,
ext4_evict_inode() tries to delete the journal inode, after we almost
completely done with the unmount.  This triggers the BUG_ON at
fs/jbd2/transaction.c:319.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ