| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-200093-13602@https.bugzilla.kernel.org/>
Date: Sat, 16 Jun 2018 15:54:50 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 200093] New: JBD2 unexpected failure when mounting and
operating a crafted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=200093
Bug ID: 200093
Summary: JBD2 unexpected failure when mounting and operating a
crafted ext4 image
Product: File System
Version: 2.5
Kernel Version: 4.17
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@...nel-bugs.osdl.org
Reporter: wen.xu@...ech.edu
Regression: No
Created attachment 276601
--> https://bugzilla.kernel.org/attachment.cgi?id=276601&action=edit
The (compressed) crafted image which causes crash
- Reproduce
# mkdir mnt
# mount -t ext4 274.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
- Kernel message
[ 122.880706] EXT4-fs error (device loop0): ext4_orphan_get:1249: comm mount:
bad orphan inode 1263225600
[ 122.906475] EXT4-fs (loop0): recovery complete
[ 122.906491] EXT4-fs (loop0): mounted filesystem with ordered data mode.
Opts: (null)
[ 126.432320] EXT4-fs error (device loop0): ext4_init_inode_table:1393: comm
ext4lazyinit: Something is wrong with group 0: used itable blocks: -467; itable
unused count: 1935
[ 126.833478] EXT4-fs error (device loop0): htree_dirblock_to_tree:1006: inode
#2: block 35: comm a.out: bad entry in directory: inode out of bounds -
offset=152(152), inode=32767, rec_len=12, name_len=1
[ 126.955839] EXT4-fs error (device loop0): ext4_map_blocks:592: inode #14:
block 16768512: comm a.out: lblock 0 mapped to illegal pblock 16768512 (length
1)
[ 126.978875] EXT4-fs error (device loop0): ext4_clear_blocks:849: inode #14:
comm a.out: attempt to clear invalid blocks 16768512 len 1
[ 127.001293] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group
1, block bitmap and bg descriptor inconsistent: 512 vs 28 free clusters
[ 127.004406] EXT4-fs error (device loop0): ext4_free_data:972: inode #14:
comm a.out: circular indirect block detected at block 19
[ 127.037615] JBD2 unexpected failure: jbd2_journal_revoke:
!buffer_revoked(bh); <--
[ 127.039074] inconsistent data on disk <--
[ 127.039823] EXT4-fs: ext4_free_blocks:4805: aborting transaction: IO failure
in __ext4_forget
[ 127.066117] EXT4-fs error (device loop0): ext4_free_blocks:4805: error -5
when attempting revoke
[ 127.067876] EXT4-fs (loop0): Remounting filesystem read-only
[ 127.069081] Aborting journal on device loop0-8.
[ 127.120840] EXT4-fs error (device loop0): ext4_mb_free_metadata:4684: group
0, block 19:Block already on to-be-freed list
[ 127.123048] EXT4-fs error (device loop0) in ext4_free_blocks:4962: Journal
has aborted
[ 127.144847] EXT4-fs error (device loop0) in ext4_orphan_del:2899: Journal
has aborted
[ 127.165785] EXT4-fs error (device loop0) in ext4_do_update_inode:5273:
Journal has aborted
- Location
https://elixir.bootlin.com/linux/latest/source/fs/jbd2/revoke.c#L374
Reported by Wen Xu from SSLab at Gatech.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists