lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-199337-13602@https.bugzilla.kernel.org/>
Date:   Tue, 10 Apr 2018 03:46:44 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 199337] New: BUG() in ext4_mb_mark_diskspace_used() when
 mounting and operating on a crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=199337

            Bug ID: 199337
           Summary: BUG() in ext4_mb_mark_diskspace_used() when mounting
                    and operating on a crafted ext4 image
           Product: File System
           Version: 2.5
    Kernel Version: 4.4.x
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 275263
  --> https://bugzilla.kernel.org/attachment.cgi?id=275263&action=edit
The crafted image which causes kernel panic

- Overview
BUG() is triggered at ext4_mb_mark_diskspace_used() when mounting and operating
on a crafted ext4 image

- Reproduce
# mkdir mnt
# mount -t ext4 231.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Location
https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L2907

- Kernel Dump
[   29.639629] EXT4-fs (loop0): mounted filesystem without journal. Opts:
(null)
[   33.642045] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
4, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642115] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
5, block bitmap and bg descriptor inconsistent: 32 vs 61696 free clusters
[   33.642173] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
17, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642227] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
21, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642294] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
24, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters
[   33.642347] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
25, block bitmap and bg descriptor inconsistent: 20 vs 256 free clusters
[   33.642755] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters
[   33.642813] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
43, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642870] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
62, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters
[   33.642922] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
63, block bitmap and bg descriptor inconsistent: 20 vs 32 free clusters
[   33.643035] ------------[ cut here ]------------
[   33.643054] kernel BUG at fs/ext4/mballoc.c:2907!
[   33.643073] invalid opcode: 0000 [#1] SMP
[   33.643092] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo
snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth
videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon
gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd
joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp
8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr
iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10
raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx
xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel
syscopyarea sysfillrect psmouse sysimgblt aes_x86_64
[   33.643467]  fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd
mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes
[   33.643542] CPU: 0 PID: 1510 Comm: poc Not tainted 4.4.124 #4
[   33.644464] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[   33.646170] task: ffff880135d31c00 ti: ffff8800b5144000 task.ti:
ffff8800b5144000
[   33.647050] RIP: 0010:[<ffffffff962d4357>]  [<ffffffff962d4357>]
ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.648661] RSP: 0018:ffff8800b5147938  EFLAGS: 00010246
[   33.649410] RAX: 0000000000000000 RBX: ffff8800ba5ff800 RCX:
ffff8800347bd148
[   33.650166] RDX: 0000000000000000 RSI: 0000000000000001 RDI:
ffff8800b94e6000
[   33.650837] RBP: ffff8800b5147990 R08: ffff8800b94e6038 R09:
ffff8800b94e6034
[   33.651494] R10: ffff8800b53cb650 R11: 0000000000000230 R12:
ffff8800b5147ab4
[   33.652151] R13: ffff8800ba5fc800 R14: ffff8800b5147ab8 R15:
ffff8800b94e6000
[   33.652762] FS:  00007fbd17057700(0000) GS:ffff880139600000(0000)
knlGS:0000000000000000
[   33.653362] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   33.653950] CR2: 0000000001577158 CR3: 00000000b9ac4000 CR4:
0000000000160670
[   33.654568] Stack:
[   33.655161]  ffff8800ba5ff800 ffff8800347bd138 ffff8800b5147990
ffffffff962d043a
[   33.655740]  ffff88003464e990 828c4939e340e542 ffff8800ba5ff800
ffff8800b5147ab4
[   33.656337]  ffff8800ba5fc800 ffff8800b5147ab8 ffff8800b94e6000
ffff8800b5147a40
[   33.656880] Call Trace:
[   33.657475]  [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0
[   33.658003]  [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0
[   33.658520]  [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120
[   33.659025]  [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60
[   33.659568]  [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130
[   33.660093]  [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[   33.660672]  [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0
[   33.661211]  [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570
[   33.661768]  [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80
[   33.662325]  [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0
[   33.662906]  [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0
[   33.663425]  [<ffffffff9619c131>] do_writepages+0x21/0x30
[   33.663913]  [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100
[   33.664460]  [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70
[   33.664960]  [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90
[   33.665399]  [<ffffffff96234f79>] generic_file_fsync+0x19/0x40
[   33.665817]  [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340
[   33.666230]  [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0
[   33.666649]  [<ffffffff9624129d>] do_fsync+0x3d/0x70
[   33.667080]  [<ffffffff96241563>] SyS_fdatasync+0x13/0x20
[   33.667492]  [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[   33.667895] Code: ff ff 85 c0 0f 85 f9 fd ff ff 4c 8b 45 c8 31 c9 4c 89 e2
be b8 0b 00 00 48 c7 c7 90 68 a3 96 e8 b0 94 ff ff e9 da fd ff ff 0f 0b <0f> 0b
4c 63 4d b0 4c 8b 45 a8 48 c7 c1 30 15 cc 96 ba 7e 0b 00
[   33.669230] RIP  [<ffffffff962d4357>]
ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.669657]  RSP <ffff8800b5147938>
[   33.670300] ---[ end trace 842e5cb6ac86b18d ]---
[   33.670734] ------------[ cut here ]------------
[   33.671160] WARNING: CPU: 0 PID: 1510 at kernel/exit.c:661
do_exit+0x5f/0xb00()
[   33.671629] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo
snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth
videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon
gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd
joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp
8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr
iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10
raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx
xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel
syscopyarea sysfillrect psmouse sysimgblt aes_x86_64
[   33.676423]  fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd
mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes
[   33.677367] CPU: 0 PID: 1510 Comm: poc Tainted: G      D         4.4.124 #4
[   33.677841] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[   33.678904]  0000000000000286 828c4939e340e542 ffff8800b5147640
ffffffff963d8d23
[   33.679411]  0000000000000000 ffffffff96ca89f6 ffff8800b5147678
ffffffff96081e72
[   33.679917]  ffff880135d31c00 000000000000000b ffff8800b5147888
0000000000000000
[   33.680482] Call Trace:
[   33.680982]  [<ffffffff963d8d23>] dump_stack+0x63/0x90
[   33.681485]  [<ffffffff96081e72>] warn_slowpath_common+0x82/0xc0
[   33.681988]  [<ffffffff96081fba>] warn_slowpath_null+0x1a/0x20
[   33.682487]  [<ffffffff960848af>] do_exit+0x5f/0xb00
[   33.682995]  [<ffffffff9601acd1>] oops_end+0xa1/0xd0
[   33.683486]  [<ffffffff9601b18b>] die+0x4b/0x70
[   33.684023]  [<ffffffff96018131>] do_trap+0xb1/0x140
[   33.684525]  [<ffffffff960184b9>] do_error_trap+0x89/0x110
[   33.685012]  [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.685507]  [<ffffffff962d3029>] ? mb_mark_used+0x289/0x320
[   33.686003]  [<ffffffff96018a20>] do_invalid_op+0x20/0x30
[   33.686750]  [<ffffffff967fd28e>] invalid_op+0x1e/0x30
[   33.687719]  [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.688763]  [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0
[   33.689685]  [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0
[   33.690415]  [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120
[   33.691262]  [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60
[   33.692246]  [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130
[   33.693136]  [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[   33.693930]  [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0
[   33.694600]  [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570
[   33.695526]  [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80
[   33.696304]  [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0
[   33.696838]  [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0
[   33.697308]  [<ffffffff9619c131>] do_writepages+0x21/0x30
[   33.697759]  [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100
[   33.698261]  [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70
[   33.698694]  [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90
[   33.699117]  [<ffffffff96234f79>] generic_file_fsync+0x19/0x40
[   33.699559]  [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340
[   33.699945]  [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0
[   33.700415]  [<ffffffff9624129d>] do_fsync+0x3d/0x70
[   33.701025]  [<ffffffff96241563>] SyS_fdatasync+0x13/0x20
[   33.701421]  [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[   33.701834] ---[ end trace 842e5cb6ac86b18e ]---

Reported by Wen Xu from SSLab, Gatech

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ