| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20141007203458.GE27150@sli.dy.fi>
Date: Tue, 7 Oct 2014 23:34:58 +0300
From: Sami Liedes <sami.liedes@....fi>
To: linux-ext4@...r.kernel.org
Subject: Intentionally corrupted ext4: panic in
jbd2_journal_commit_transaction()
Hi,
Here's one more ext4 filesystem with a single bit corrupted in a way
that causes a crash on 3.17 with the two patches from this thread
applied.
Corrupted image:
http://www.niksula.hut.fi/~sliedes/ext4/jbd2_journal_commit_transaction/testimg.ext4.23934.min.bz2
Pristine image:
http://www.niksula.hut.fi/~sliedes/ext4/testimg.ext4.pristine.bz2
Diff:
--- /dev/fd/63 2014-10-07 23:10:25.527812967 +0300
+++ /dev/fd/62 2014-10-07 23:10:25.527812967 +0300
@@ -552,7 +552,7 @@
00012ba0 00 00 08 00 00 00 00 00 0a f3 03 00 04 00 00 00 |................|
00012bb0 00 00 00 00 00 00 00 00 01 00 00 00 39 00 00 00 |............9...|
00012bc0 01 00 00 00 0e 00 00 00 3c 00 00 00 0f 00 00 00 |........<.......|
-00012bd0 f1 03 00 00 8b 01 00 00 00 00 00 00 00 00 00 00 |................|
+00012bd0 f1 03 00 00 8b 00 00 00 00 00 00 00 00 00 00 00 |................|
00012be0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00012d00 e4 41 00 00 00 30 00 00 c8 a7 4a 48 9e 26 bf 48 |.A...0....JH.&.H|
Backtrace:
[ 5.085227] EXT4-fs (vdb): mounted filesystem with ordered data mode. Opts: errors=continue
[ 5.179552] ------------[ cut here ]------------
[ 5.180205] kernel BUG at fs/jbd2/commit.c:848!
[ 5.180751] invalid opcode: 0000 [#1] SMP
[ 5.181186] CPU: 0 PID: 878 Comm: jbd2/vdb-8 Not tainted 3.17.0+ #29
[ 5.181186] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 5.181186] task: ffff880000066360 ti: ffff880004c98000 task.ti: ffff880004c98000
[ 5.181186] RIP: 0010:[<ffffffff812ad28f>] [<ffffffff812ad28f>] jbd2_journal_commit_transaction+0x16df/0x1c50
[ 5.181186] RSP: 0018:ffff880004c9bc78 EFLAGS: 00010246
[ 5.181186] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000180270022
[ 5.181186] RDX: 0000000180270023 RSI: ffffea0000193080 RDI: ffff880006513070
[ 5.181186] RBP: ffff880004c9bde8 R08: 00000000064c2f01 R09: 0000000180270022
[ 5.181186] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800044ce680
[ 5.181186] R13: ffff8800064c28f0 R14: ffff8800063cb000 R15: ffff880000c39000
[ 5.181186] FS: 0000000000000000(0000) GS:ffff880007c00000(0000) knlGS:0000000000000000
[ 5.181186] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 5.181186] CR2: 00000000f7780866 CR3: 00000000050ef000 CR4: 00000000000006b0
[ 5.181186] Stack:
[ 5.181186] ffff880007d68c00 0000001804c9bd50 0000000134960a6e ffffffff00000008
[ 5.181186] 0000000000000234 ffff880000c390cc 0000000000000000 ffff880005c82000
[ 5.181186] ffff880000c39000 ffff880000c39050 ffff880007d68dcc ffff880004c9bd40
[ 5.181186] Call Trace:
[ 5.181186] [<ffffffff812b2bd3>] kjournald2+0x143/0x3c0
[ 5.181186] [<ffffffff810a5110>] ? __wake_up_common+0x90/0x90
[ 5.181186] [<ffffffff812b2a90>] ? __jbd2_debug+0x60/0x60
[ 5.181186] [<ffffffff8108a451>] kthread+0xf1/0x110
[ 5.181186] [<ffffffff8108a360>] ? __kthread_parkme+0x70/0x70
[ 5.181186] [<ffffffff8188c77c>] ret_from_fork+0x7c/0xb0
[ 5.181186] [<ffffffff8108a360>] ? __kthread_parkme+0x70/0x70
[ 5.181186] Code: 00 00 49 8b 5f 28 e9 51 f1 ff ff 0f 0b 48 8b 7c 24 70 e8 f5 e8 5d 00 48 8d 84 24 c8 00 00 00 48 89 44 24 58 e9 1a f0 ff ff 0f 0b <0f> 0b 65 ff 04 25 a0 b8 00 00 48 8b 1d 80 b7 c3 00 48 85 db 74
[ 5.181186] RIP [<ffffffff812ad28f>] jbd2_journal_commit_transaction+0x16df/0x1c50
[ 5.181186] RSP <ffff880004c9bc78>
[ 5.204927] ---[ end trace f1b91b47d2c74c2f ]---
[ 5.205477] Kernel panic - not syncing: Fatal exception
[ 5.206217] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
[ 5.207413] Rebooting in 1 seconds..
Sami
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists