lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130313185911.GA1446@jtriplet-mobl1> Date: Wed, 13 Mar 2013 11:59:13 -0700 From: Josh Triplett <josh@...htriplett.org> To: linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org, Theodore Ts'o <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca> Subject: NULL pointer dereference in ext4_superblock_csum_set with mounted filesystem I frequently test kernel changes by booting them with kvm's -kernel option, with -hda pointing to my host system's root filesystem, and -snapshot to prevent writing to (and likely corrupting) that root filesystem. I tried this with a kernel built from git commit 7c6baa304b841673d3a55ea4fcf9a5cbf7a1674b, with a stock x86-64 "make defconfig", and got a kernel panic: [ 0.908898] EXT4-fs (sda): couldn't mount as ext3 due to feature incompatibilities [ 0.911608] EXT4-fs (sda): couldn't mount as ext2 due to feature incompatibilities [ 0.917997] EXT4-fs (sda): INFO: recovery required on readonly filesystem [ 0.919575] EXT4-fs (sda): write access will be enabled during recovery [ 1.004234] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1.005050] IP: [<ffffffff811ca54f>] ext4_superblock_csum_set+0x2f/0x70 [ 1.005050] PGD 0 [ 1.005050] Oops: 0000 [#1] SMP [ 1.005050] Modules linked in: [ 1.005050] CPU 0 [ 1.005050] Pid: 1, comm: swapper/0 Not tainted 3.9.0-rc2+ #5 Bochs Bochs [ 1.005050] RIP: 0010:[<ffffffff811ca54f>] [<ffffffff811ca54f>] ext4_superblock_csum_set+0x2f/0x70 [ 1.005050] RSP: 0000:ffff88003e1f5578 EFLAGS: 00010202 [ 1.005050] RAX: 0000000000000000 RBX: ffff880001da8400 RCX: 0000000000000001 [ 1.005050] RDX: 0000000000000040 RSI: 0000000000000040 RDI: ffff88003d93d400 [ 1.005050] RBP: ffff88003e1f55a8 R08: ffffffff81cb4238 R09: 0000000000000040 [ 1.005050] R10: 0000000001270030 R11: 0000000000000000 R12: ffff88003de0f1a0 [ 1.005050] R13: ffff880001da8400 R14: 0000000000000000 R15: ffff88003d93d400 [ 1.005050] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 [ 1.005050] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1.005050] CR2: 0000000000000000 CR3: 0000000001c0b000 CR4: 00000000000006f0 [ 1.005050] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1.005050] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1.005050] Process swapper/0 (pid: 1, threadinfo ffff88003e1f4000, task ffff88003e1f0000) [ 1.005050] Stack: [ 1.005050] ffff88003e1f55a8 ffffffff812c8ffa ffffffff810fd729 0000000000000000 [ 1.005050] ffff88003de0f1a0 000000000105a4e8 ffff88003e1f55f8 ffffffff811cae3c [ 1.005050] 00000001000004d8 00000000307ea8c1 ffff88003e1f55f8 ffff88003d93d400 [ 1.005050] Call Trace: [ 1.005050] [<ffffffff812c8ffa>] ? __percpu_counter_sum+0x5a/0x80 [ 1.005050] [<ffffffff810fd729>] ? __inc_zone_state+0x59/0x60 [ 1.005050] [<ffffffff811cae3c>] ext4_commit_super+0x15c/0x240 [ 1.005050] [<ffffffff811cb0ae>] save_error_info+0x1e/0x30 [ 1.005050] [<ffffffff811cc12e>] ext4_error_inode+0x5e/0x120 [ 1.005050] [<ffffffff810e3fc0>] ? mempool_alloc_slab+0x10/0x20 [ 1.005050] [<ffffffff811a8208>] __check_block_validity.constprop.57+0x78/0x80 [ 1.005050] [<ffffffff811eb791>] ? ext4_es_lookup_extent+0x91/0x180 [ 1.005050] [<ffffffff811a9fe0>] ext4_map_blocks+0x250/0x3f0 [ 1.005050] [<ffffffff811ac062>] _ext4_get_block+0x82/0x190 [ 1.005050] [<ffffffff811ac1a1>] ext4_get_block+0x11/0x20 [ 1.005050] [<ffffffff8115d6ba>] generic_block_bmap+0x3a/0x40 [ 1.005050] [<ffffffff810e1d49>] ? find_get_page+0x19/0xa0 [ 1.005050] [<ffffffff8115e538>] ? __find_get_block_slow+0xb8/0x160 [ 1.005050] [<ffffffff810ea6ad>] ? mapping_tagged+0xd/0x10 [ 1.005050] [<ffffffff811a7f09>] ext4_bmap+0x89/0xf0 [ 1.005050] [<ffffffff811453d9>] bmap+0x19/0x20 [ 1.005050] [<ffffffff811fe25e>] jbd2_journal_bmap+0x2e/0xb0 [ 1.005050] [<ffffffff811f6d5b>] jread+0x3b/0x270 [ 1.005050] [<ffffffff8115ef28>] ? __getblk+0x28/0x2d0 [ 1.005050] [<ffffffff811f8aea>] ? find_revoke_record+0x5a/0xb0 [ 1.005050] [<ffffffff811f701e>] do_one_pass+0x8e/0xad0 [ 1.005050] [<ffffffff811f7b39>] jbd2_journal_recover+0xd9/0x110 [ 1.005050] [<ffffffff811fddc7>] jbd2_journal_load+0xd7/0x390 [ 1.005050] [<ffffffff811275a0>] ? kmem_cache_alloc_trace+0x30/0x110 [ 1.005050] [<ffffffff811cfbab>] ext4_fill_super+0x1e9b/0x2dc0 [ 1.005050] [<ffffffff81130cf1>] mount_bdev+0x1a1/0x1e0 [ 1.005050] [<ffffffff811cdd10>] ? ext4_calculate_overhead+0x3c0/0x3c0 [ 1.005050] [<ffffffff811bb1d0>] ext4_mount+0x10/0x20 [ 1.005050] [<ffffffff8113196e>] mount_fs+0x3e/0x1b0 [ 1.005050] [<ffffffff81100b7b>] ? __alloc_percpu+0xb/0x10 [ 1.005050] [<ffffffff8114a87f>] vfs_kern_mount+0x6f/0x110 [ 1.005050] [<ffffffff8114cac9>] do_mount+0x209/0xa10 [ 1.005050] [<ffffffff810fb343>] ? strndup_user+0x53/0x70 [ 1.005050] [<ffffffff8114d359>] sys_mount+0x89/0xd0 [ 1.005050] [<ffffffff81cd51e1>] mount_block_root+0xf6/0x221 [ 1.005050] [<ffffffff81cd5406>] mount_root+0xfa/0x105 [ 1.005050] [<ffffffff81cd554e>] prepare_namespace+0x13d/0x16a [ 1.005050] [<ffffffff81cd4fa2>] kernel_init_freeable+0x1b4/0x1c4 [ 1.005050] [<ffffffff81cd481c>] ? do_early_param+0x8c/0x8c [ 1.005050] [<ffffffff81784e20>] ? rest_init+0x70/0x70 [ 1.005050] [<ffffffff81784e29>] kernel_init+0x9/0xf0 [ 1.005050] [<ffffffff817a60ac>] ret_from_fork+0x7c/0xb0 [ 1.005050] [<ffffffff81784e20>] ? rest_init+0x70/0x70 [ 1.005050] Code: 53 48 83 ec 28 48 8b 87 40 03 00 00 48 8b 58 68 f6 43 65 04 75 0e 48 83 c4 28 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 80 b8 03 00 00 <83> 38 04 75 37 48 8d 7d d8 ba fc 03 00 00 48 89 de 48 89 45 d8 [ 1.005050] RIP [<ffffffff811ca54f>] ext4_superblock_csum_set+0x2f/0x70 [ 1.005050] RSP <ffff88003e1f5578> [ 1.005050] CR2: 0000000000000000 [ 1.066804] ---[ end trace cba8b53354947677 ]--- -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists