lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-199301-13602@https.bugzilla.kernel.org/>
Date:   Fri, 06 Apr 2018 01:44:10 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 199301] New: BUG() in ext4_mark_recovery_complete() can be
 triggered when mounting crafted image

https://bugzilla.kernel.org/show_bug.cgi?id=199301

            Bug ID: 199301
           Summary: BUG() in ext4_mark_recovery_complete() can be
                    triggered when mounting crafted image
           Product: File System
           Version: 2.5
    Kernel Version: 4.15.x
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 275115
  --> https://bugzilla.kernel.org/attachment.cgi?id=275115&action=edit
The crafted image which causes kernel panic

- Overview
BUG_ON() in ext4_mark_recovery_complete() can be triggered when mounting
crafted ext4 image

- Reproduce
# mkdir mnt
# mount -t ext4 20.img mnt

- Reason
The sb's journal feature bit can be inconsistent with its journal pointer. 

- Crash dump
[  345.621451] EXT4-fs (loop0): ext4_check_descriptors: Inode bitmap for group
0 overlaps superblock
[  345.633213] EXT4-fs error (device loop0): ext4_orphan_get:1256: comm mount:
bad orphan inode 27
[  345.634421] ext4_test_bit(bit=26, block=1) = 0
[  345.634435] EXT4-fs (loop0): recovery complete
[  345.634441] ------------[ cut here ]------------
[  345.634442] kernel BUG at
/build/linux-8h04gD/linux-4.13.0/fs/ext4/super.c:4794!
[  345.634471] invalid opcode: 0000 [#1] SMP
[  345.634481] Modules linked in: ppdev btusb btrtl vmw_balloon btbcm btintel
coretemp intel_rapl_perf input_leds bluetooth uvcvideo joydev videobuf2_vmalloc
serio_raw videobuf2_memops snd_ens1371 videobuf2_v4l2 videobuf2_core
snd_ac97_codec videodev gameport snd_rawmidi snd_seq_device media ac97_bus
ecdh_generic snd_pcm snd_timer snd soundcore parport_pc parport nfit mac_hid
i2c_piix4 shpchp vmw_vsock_vmci_transport vsock vmw_vmci ib_iser rdma_cm iw_cm
ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables
x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear
hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc
aesni_intel aes_x86_64 crypto_simd glue_helper cryptd
[  345.634716]  vmwgfx ttm psmouse drm_kms_helper syscopyarea sysfillrect
sysimgblt mptspi fb_sys_fops mptscsih ahci mptbase drm e1000 libahci
scsi_transport_spi pata_acpi
[  345.634764] CPU: 3 PID: 1766 Comm: mount Not tainted 4.13.0-21-generic
#24-Ubuntu
[  345.634780] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[  345.634813] task: ffff8d79705e5d00 task.stack: ffffb131033c0000
[  345.634840] RIP: 0010:ext4_mark_recovery_complete.isra.197+0x6a/0x90
[  345.634864] RSP: 0018:ffffb131033c3c80 EFLAGS: 00010286
[  345.634876] RAX: ffff8d79741eb400 RBX: ffff8d79741eb400 RCX:
0000000000000006
[  345.634901] RDX: 0000000000000000 RSI: 0000000000000092 RDI:
ffff8d796ec9c000
[  345.634916] RBP: ffffb131033c3c90 R08: 0000000000000001 R09:
000000000000065f
[  345.634930] R10: ffff8d79741eb700 R11: 0000000000000000 R12:
ffff8d796ec9d000
[  345.634945] R13: 0000000000000000 R14: ffff8d796ec98000 R15:
0000000000000000
[  345.634971] FS:  00007f2e47072fc0(0000) GS:ffff8d79796c0000(0000)
knlGS:0000000000000000
[  345.634988] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  345.635010] CR2: 000055c457ac80d8 CR3: 00000001340b8000 CR4:
00000000001406e0
[  345.635078] Call Trace:
[  345.635088]  ext4_fill_super+0x24e3/0x38f0
[  345.635100]  ? snprintf+0x45/0x70
[  345.635670]  mount_bdev+0x245/0x290
[  345.636174]  ? mount_bdev+0x245/0x290
[  345.636654]  ? ext4_calculate_overhead+0x490/0x490
[  345.637124]  ext4_mount+0x15/0x20
[  345.637567]  mount_fs+0x32/0x150
[  345.638048]  ? alloc_vfsmnt+0x1b3/0x230
[  345.638452]  vfs_kern_mount.part.20+0x5d/0x110
[  345.638851]  do_mount+0x1f3/0xce0
[  345.639254]  ? __check_object_size+0xaf/0x1b0
[  345.639669]  ? memdup_user+0x4f/0x80
[  345.640044]  SyS_mount+0x98/0xe0
[  345.640407]  entry_SYSCALL_64_fastpath+0x1e/0xa9
[  345.640805] RIP: 0033:0x7f2e4693d4ba
[  345.641150] RSP: 002b:00007ffcd8908b38 EFLAGS: 00000202 ORIG_RAX:
00000000000000a5
[  345.641498] RAX: ffffffffffffffda RBX: 00007f2e46c4748f RCX:
00007f2e4693d4ba
[  345.641839] RDX: 000055c457abaaa0 RSI: 000055c457abc7c0 RDI:
000055c457ac3e30
[  345.642173] RBP: 00007f2e46e58864 R08: 0000000000000000 R09:
000055c457abaac0
[  345.642496] R10: 00000000c0ed0000 R11: 0000000000000202 R12:
000055c457aba980
[  345.642810] R13: 00007ffcd8908e58 R14: 000055c4575c34a0 R15:
00000000ffffffff
[  345.643118] Code: 01 00 85 c0 78 18 48 8b 83 00 04 00 00 48 8b 50 68 8b 42
60 a8 04 74 06 f6 43 50 01 75 0f 4c 89 e7 e8 9b f1 00 00 5b 41 5c 5d c3 <0f> 0b
83 e0 fb be 01 00 00 00 48 89 df 89 42 60 e8 e1 fb ff ff
[  345.644115] RIP: ext4_mark_recovery_complete.isra.197+0x6a/0x90 RSP:
ffffb131033c3c80
[  345.644616] ---[ end trace bb74428aee8363f9 ]---

- Reporter
Wen Xu from SSLab, Gatech

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ