lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-200069-13602@https.bugzilla.kernel.org/>
Date:   Thu, 14 Jun 2018 03:10:56 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 200069] New: BUG() triggered in start_this_handle()
 (jbd2/transaction.c) when operating and umounting a crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=200069

            Bug ID: 200069
           Summary: BUG() triggered in start_this_handle()
                    (jbd2/transaction.c) when operating and umounting a
                    crafted ext4 image
           Product: File System
           Version: 2.5
    Kernel Version: 4.17
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 276539
  --> https://bugzilla.kernel.org/attachment.cgi?id=276539&action=edit
The crafted image which causes kernel panic

There is no component named "JBD2" to select, so I post to here considering it
appears when operating an ext4 image.

- Reproduce
# mkdir mnt
# mount -t ext4 112.img
# gcc -o poc poc.c
# ./poc ./mnt
# umount mnt <--- required

- Kernel message (4.17 upstream kernel)
[   48.128367] EXT4-fs (sda1): mounting ext2 file system using the ext4
subsystem
[   48.147513] EXT4-fs (sda1): mounted filesystem without journal. Opts: (null)
[   49.401332] audit: type=1400 audit(1523910147.644:2): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="lxc-container-default"
pid=846 comm="apparmor_parser"
[   49.401370] audit: type=1400 audit(1523910147.644:3): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="lxc-container-default-cgns"
pid=846 comm="apparmor_parser"
[   49.401401] audit: type=1400 audit(1523910147.644:4): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="lxc-container-default-with-mounting" pid=846 comm="apparmor_parser"
[   49.401425] audit: type=1400 audit(1523910147.644:5): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="lxc-container-default-with-nesting" pid=846 comm="apparmor_parser"
[   49.460390] audit: type=1400 audit(1523910147.704:6): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=853
comm="apparmor_parser"
[   49.460426] audit: type=1400 audit(1523910147.704:7): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=853
comm="apparmor_parser"
[   49.460449] audit: type=1400 audit(1523910147.704:8): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=853 comm="apparmor_parser"
[   49.460472] audit: type=1400 audit(1523910147.704:9): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=853 comm="apparmor_parser"
[   49.479598] audit: type=1400 audit(1523910147.720:10): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=854
comm="apparmor_parser"
[   49.491795] audit: type=1400 audit(1523910147.732:11): apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/bin/ubuntu-core-launcher" pid=855 comm="apparmor_parser"
[   49.933811] 8139cp 0000:00:03.0 ens3: link up, 100Mbps, full-duplex, lpa
0x05E1
[   50.741705] Adding 16777212k swap on /dev/mapper/ubuntu--vg-swap_1. 
Priority:-2 extents:1 across:16777212k FS
[   51.074831] new mount options do not match the existing superblock, will be
ignored
[   54.145372] snd_hda_codec_generic hdaudioC0D0: autoconfig for Generic:
line_outs=1 (0x3/0x0/0x0/0x0/0x0) type:line
[   54.145379] snd_hda_codec_generic hdaudioC0D0:    speaker_outs=0
(0x0/0x0/0x0/0x0/0x0)
[   54.145384] snd_hda_codec_generic hdaudioC0D0:    hp_outs=0
(0x0/0x0/0x0/0x0/0x0)
[   54.145405] snd_hda_codec_generic hdaudioC0D0:    mono: mono_out=0x0
[   54.145409] snd_hda_codec_generic hdaudioC0D0:    inputs:
[   54.145415] snd_hda_codec_generic hdaudioC0D0:      Line=0x5
[  103.851606] EXT4-fs (loop0): warning: checktime reached, running e2fsck is
recommended
[  103.914444] EXT4-fs (loop0): mounted filesystem with ordered data mode.
Opts: (null)
[  110.420755] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
46: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  110.462652] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
47: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  110.486738] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
48: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  110.514166] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
50: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  110.538125] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
57: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=0, rec_len=3, name_len=0
[  110.561406] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
58: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  110.595214] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
59: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  110.619184] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
60: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=524287, rec_len=0, name_len=0
[  110.642651] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
61: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=10, rec_len=11, name_len=0
[  110.666303] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block
62: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller
than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  128.012230] ------------[ cut here ]------------
[  128.012235] kernel BUG at fs/jbd2/transaction.c:321!
[  128.013206] invalid opcode: 0000 [#1] SMP KASAN PTI
[  128.014033] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 soundcore
mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect
sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crc32_pclmul aesni_intel
aes_x86_64 crypto_simd cryptd 8139cp glue_helper floppy mii pata_acpi
[  128.022517] CPU: 0 PID: 1349 Comm: umount Not tainted 4.16.0-rc1+ #3
[  128.023511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  128.025051] RIP: 0010:start_this_handle+0x427/0x770
[  128.025823] RSP: 0018:ffff8801101b7990 EFLAGS: 00010202
[  128.026661] RAX: 0000000000000000 RBX: ffff88010d80e600 RCX:
ffffffff9f5280ee
[  128.027777] RDX: dffffc0000000000 RSI: 0000000000000000 RDI:
ffff88010d80e600
[  128.028892] RBP: ffff8801101b7a88 R08: 0000000000000016 R09:
00000000f6920cf8
[  128.030037] R10: 000000006dbd2428 R11: ffffed0022036ed0 R12:
ffff880034c3ad00
[  128.031154] R13: 0000000000000039 R14: 0000000000000100 R15:
ffff88010d80e624
[  128.032265] FS:  00007fa06b656840(0000) GS:ffff880118200000(0000)
knlGS:0000000000000000
[  128.033525] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  128.034441] CR2: 00005591cef19578 CR3: 0000000110a08000 CR4:
00000000000006f0
[  128.035560] Call Trace:
[  128.035967]  ? jbd2_journal_destroy+0x2d5/0x430
[  128.036686]  ? jbd2_journal_free_reserved+0x60/0x60
[  128.037485]  ? kasan_kmalloc+0xad/0xe0
[  128.038116]  ? memcg_kmem_put_cache+0x1b/0x90
[  128.038813]  ? kmem_cache_alloc+0x16b/0x1d0
[  128.039481]  jbd2__journal_start+0x188/0x300
[  128.040165]  __ext4_journal_start_sb+0x89/0x180
[  128.040895]  ? ext4_evict_inode+0x3e6/0x9b0
[  128.041566]  ext4_evict_inode+0x3e6/0x9b0
[  128.042229]  ? ext4_da_write_begin+0x5e0/0x5e0
[  128.042984]  ? pde_put+0x57/0x70
[  128.043539]  evict+0x16f/0x290
[  128.044056]  iput+0x2ab/0x360
[  128.044555]  jbd2_journal_destroy+0x2ed/0x430
[  128.045256]  ? jbd2_mark_journal_empty+0xf0/0xf0
[  128.046018]  ? put_pwq+0x60/0x70
[  128.046542]  ? put_pwq_unlocked+0x2f/0x50
[  128.047185]  ? destroy_workqueue+0x288/0x2c0
[  128.047863]  ext4_put_super+0xc3/0x650
[  128.048472]  generic_shutdown_super+0xb9/0x1c0
[  128.049182]  kill_block_super+0x52/0x80
[  128.049799]  deactivate_locked_super+0x5e/0x90
[  128.050523]  deactivate_super+0x68/0x70
[  128.051149]  cleanup_mnt+0x61/0xa0
[  128.051701]  __cleanup_mnt+0x12/0x20
[  128.052278]  task_work_run+0xba/0xe0
[  128.052868]  exit_to_usermode_loop+0xf2/0x100
[  128.053562]  do_syscall_64+0x1c0/0x1f0
[  128.054208]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[  128.055023] RIP: 0033:0x7fa06af36487
[  128.055622] RSP: 002b:00007ffea17e0428 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[  128.056802] RAX: 0000000000000000 RBX: 0000000000a4e060 RCX:
00007fa06af36487
[  128.057950] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000000000a55210
[  128.059070] RBP: 0000000000a55210 R08: 0000000000000000 R09:
0000000000000014
[  128.060190] R10: 00000000000006b2 R11: 0000000000000246 R12:
00007fa06b43f83c
[  128.061303] R13: 0000000000000000 R14: 0000000000a4e240 R15:
00007ffea17e06b0
[  128.062432] Code: ff 4c 89 ef e8 ab 61 e4 ff 8b 53 2c 85 d2 75 dc 48 8b b5
28 ff ff ff 4c 89 f7 4c 8b a5 08 ff ff ff e8 8e 44 c1 ff e9 57 fd ff ff <0f> 0b
b8 00 fe ff ff 3e 41 0f c1 07 48 8b 85 30 ff ff ff 41 be 
[  128.065395] RIP: start_this_handle+0x427/0x770 RSP: ffff8801101b7990
[  128.066449] ---[ end trace dba765b9dd20747d ]---
[  128.077442]
==================================================================
[  128.078629] BUG: KASAN: stack-out-of-bounds in
arch_tlb_gather_mmu+0x52/0x170
[  128.079747] Write of size 8 at addr ffff8801101b7d10 by task umount/1349

[  128.081072] CPU: 0 PID: 1349 Comm: umount Tainted: G      D         
4.16.0-rc1+ #3
[  128.082281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  128.083754] Call Trace:
[  128.084166]  dump_stack+0x63/0x8d
[  128.084703]  print_address_description+0x70/0x290
[  128.085450]  kasan_report+0x290/0x390
[  128.086053]  ? arch_tlb_gather_mmu+0x52/0x170
[  128.086746]  __asan_store8+0x57/0x90
[  128.087317]  arch_tlb_gather_mmu+0x52/0x170
[  128.087980]  tlb_gather_mmu+0x12/0x30
[  128.088563]  exit_mmap+0x102/0x280
[  128.089107]  ? SyS_munmap+0x30/0x30
[  128.089672]  ? exit_aio+0x98/0x1f0
[  128.090232]  ? do_io_submit+0x9d0/0x9d0
[  128.090858]  ? taskstats_exit+0x1f4/0x640
[  128.091514]  ? exit_robust_list+0x6b/0x120
[  128.092177]  ? mm_update_next_owner+0x72/0x320
[  128.092892]  mmput+0x7d/0x1a0
[  128.093373]  do_exit+0x410/0x1330
[  128.093918]  ? mm_update_next_owner+0x320/0x320
[  128.094635]  ? cleanup_mnt+0x61/0xa0
[  128.095204]  ? __cleanup_mnt+0x12/0x20
[  128.095802]  ? task_work_run+0xba/0xe0
[  128.096401]  ? exit_to_usermode_loop+0xf2/0x100
[  128.097117]  ? do_syscall_64+0x1c0/0x1f0
[  128.097760]  rewind_stack_do_exit+0x17/0x20
[  128.098447] RIP: 0033:0x7fa06af36487
[  128.099019] RSP: 002b:00007ffea17e0428 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[  128.100197] RAX: 0000000000000000 RBX: 0000000000a4e060 RCX:
00007fa06af36487
[  128.101305] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000000000a55210
[  128.102427] RBP: 0000000000a55210 R08: 0000000000000000 R09:
0000000000000014
[  128.103534] R10: 00000000000006b2 R11: 0000000000000246 R12:
00007fa06b43f83c
[  128.104642] R13: 0000000000000000 R14: 0000000000a4e240 R15:
00007ffea17e06b0

[  128.106010] The buggy address belongs to the page:
[  128.106784] page:ffffea0004406dc0 count:0 mapcount:0 mapping:         
(null) index:0x0
[  128.108037] flags: 0x2ffff0000000000()
[  128.108646] raw: 02ffff0000000000 0000000000000000 0000000000000000
00000000ffffffff
[  128.109854] raw: 0000000000000000 dead000000000200 0000000000000000
0000000000000000
[  128.111063] page dumped because: kasan: bad access detected

[  128.112179] Memory state around the buggy address:
[  128.112933]  ffff8801101b7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  128.114062]  ffff8801101b7c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
00
[  128.115180] >ffff8801101b7d00: 00 00 f3 00 00 00 00 00 00 00 00 00 00 f4 f4
f4
[  128.116296]                          ^
[  128.116891]  ffff8801101b7d80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
00
[  128.118024]  ffff8801101b7e00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4
f4
[  128.119144]
==================================================================

- Location
https://elixir.bootlin.com/linux/latest/source/fs/jbd2/transaction.c#L321
        BUG_ON(journal->j_flags & JBD2_UNMOUNT);

Reported by Wen Xu (wen.xu@...ech.edu) from SSLab at Gatech.

Thanks,
Wen

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ