lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 25 Aug 2018 05:14:33 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 200933] New: Divide zero in __ext4_check_dir_entry

https://bugzilla.kernel.org/show_bug.cgi?id=200933

            Bug ID: 200933
           Summary: Divide zero in __ext4_check_dir_entry
           Product: File System
           Version: 2.5
    Kernel Version: 4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 278081
  --> https://bugzilla.kernel.org/attachment.cgi?id=278081&action=edit
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t ext4 17.img mnt
# gcc 17.c
# ./a.out ./mnt

- Kernel message
[ 6687.218549] EXT4-fs: Warning: mounting with data=journal disables delayed
allocation and O_DIRECT support!
[ 6687.289272] [EXT4 FS bs=1024, gc=2, bpg=8192, ipg=2048, mo=a002c41c,
mo2=0002]
[ 6687.289342] System zones: 1-2, 130-1157, 8193-8194
[ 6687.289710] EXT4-fs (loop0): mounted filesystem with journalled data mode.
Opts: (null)
[ 6705.578120] divide error: 0000 [#1] SMP KASAN PTI
[ 6705.579152] CPU: 1 PID: 1590 Comm: a.out Not tainted 4.18.0+ #9
[ 6705.580379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 6705.582323] RIP: 0010:__ext4_check_dir_entry+0x1aa/0x200
[ 6705.583411] Code: 18 e8 ca b1 e7 ff 48 8b 45 c8 31 d2 48 8b 75 c0 4d 89 f9
49 c7 c0 e0 95 94 a6 4c 89 e7 48 8b 48 18 8b 45 20 41 55 53 41 56 50 <f7> 75 18
52 8b 55 bc e8 6a 72 08 00 b8 01 00 00 00 48 83 c4 28 e9
[ 6705.587100] RSP: 0018:ffff8801f0ae7ac0 EFLAGS: 00010246
[ 6705.588177] RAX: 000000000000003c RBX: 000000000000000c RCX:
0000000000000286
[ 6705.589606] RDX: 0000000000000000 RSI: ffffffffa694cc00 RDI:
ffff8801d1e2b478
[ 6705.591027] RBP: ffff8801f0ae7b28 R08: ffffffffa69495e0 R09:
ffffffffa6949560
[ 6705.592458] R10: 0000000000000001 R11: ffffed003d690e36 R12:
ffff8801d1e2b478
[ 6705.593878] R13: 0000000000000004 R14: 0000000000000011 R15:
ffffffffa6949560
[ 6705.595306] FS:  00007f6837cae700(0000) GS:ffff8801f7100000(0000)
knlGS:0000000000000000
[ 6705.596934] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6705.598089] CR2: 00007f68377c0a90 CR3: 00000001e52c4000 CR4:
00000000000006e0
[ 6705.599538] Call Trace:
[ 6705.600070]  empty_inline_dir+0x22c/0x420
[ 6705.600897]  ? ext4_delete_inline_entry+0x300/0x300
[ 6705.601888]  ? __dquot_initialize+0xeb/0x5d0
[ 6705.602776]  ? unlazy_walk+0xb8/0x150
[ 6705.603543]  ext4_empty_dir+0x1dd/0x420
[ 6705.604344]  ? apparmor_file_receive+0x80/0x80
[ 6705.605245]  ? ext4_mkdir+0x6b0/0x6b0
[ 6705.606001]  ext4_rmdir+0x1c2/0x750
[ 6705.606719]  ? ext4_rename2+0x100/0x100
[ 6705.607529]  ? lockref_get_not_dead+0x160/0x160
[ 6705.608451]  ? may_delete+0x206/0x2b0
[ 6705.609201]  vfs_rmdir+0x104/0x1b0
[ 6705.609902]  do_rmdir+0x308/0x330
[ 6705.610587]  ? __ia32_sys_mkdir+0x40/0x40
[ 6705.611424]  ? do_faccessat+0x303/0x390
[ 6705.612212]  ? __ia32_sys_fallocate+0x60/0x60
[ 6705.613104]  ? getname_flags+0x110/0x2c0
[ 6705.613910]  __x64_sys_rmdir+0x24/0x30
[ 6705.614684]  do_syscall_64+0x78/0x170
[ 6705.615457]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6705.616489] RIP: 0033:0x7f68377ca4d9
[ 6705.617223] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[ 6705.620927] RSP: 002b:00007ffe90ddedd8 EFLAGS: 00000286 ORIG_RAX:
0000000000000054
[ 6705.622442] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f68377ca4d9
[ 6705.623872] RDX: ffffffffffffff98 RSI: 00007f68377ca4d9 RDI:
00007ffe90ddee20
[ 6705.625294] RBP: 00007ffe90de0ed0 R08: 00007ffe90de0fb8 R09:
00007ffe90de0fb8
[ 6705.626721] R10: 00007ffe90de0fb8 R11: 0000000000000286 R12:
0000000000400530
[ 6705.628156] R13: 00007ffe90de0fb0 R14: 0000000000000000 R15:
0000000000000000
[ 6705.629591] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid
i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl
drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm
crct10dif_pclmul crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd
glue_helper 8139cp mii pata_acpi floppy
[ 6705.640196] ---[ end trace 754084f7e4b34756 ]---
[ 6705.641206] RIP: 0010:__ext4_check_dir_entry+0x1aa/0x200
[ 6705.642309] Code: 18 e8 ca b1 e7 ff 48 8b 45 c8 31 d2 48 8b 75 c0 4d 89 f9
49 c7 c0 e0 95 94 a6 4c 89 e7 48 8b 48 18 8b 45 20 41 55 53 41 56 50 <f7> 75 18
52 8b 55 bc e8 6a 72 08 00 b8 01 00 00 00 48 83 c4 28 e9
[ 6705.647143] RSP: 0018:ffff8801f0ae7ac0 EFLAGS: 00010246
[ 6705.648662] RAX: 000000000000003c RBX: 000000000000000c RCX:
0000000000000286
[ 6705.650450] RDX: 0000000000000000 RSI: ffffffffa694cc00 RDI:
ffff8801d1e2b478
[ 6705.652001] RBP: ffff8801f0ae7b28 R08: ffffffffa69495e0 R09:
ffffffffa6949560
[ 6705.653462] R10: 0000000000000001 R11: ffffed003d690e36 R12:
ffff8801d1e2b478
[ 6705.654909] R13: 0000000000000004 R14: 0000000000000011 R15:
ffffffffa6949560
[ 6705.656394] FS:  00007f6837cae700(0000) GS:ffff8801f7100000(0000)
knlGS:0000000000000000
[ 6705.658025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6705.659188] CR2: 00007f68377c0a90 CR3: 00000001e52c4000 CR4:
00000000000006e0
[ 6705.660691]
==================================================================
[ 6705.662169] BUG: KASAN: stack-out-of-bounds in
arch_tlb_gather_mmu+0x21/0x170
[ 6705.663613] Write of size 8 at addr ffff8801f0ae7bc8 by task a.out/1590

[ 6705.665277] CPU: 1 PID: 1590 Comm: a.out Tainted: G      D           4.18.0+
#9
[ 6705.666751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 6705.681196] Call Trace:
[ 6705.681780]  dump_stack+0x7b/0xb5
[ 6705.682469]  print_address_description+0x70/0x290
[ 6705.683439]  kasan_report+0x291/0x390
[ 6705.684193]  ? arch_tlb_gather_mmu+0x21/0x170
[ 6705.685074]  __asan_store8+0x57/0x90
[ 6705.685808]  arch_tlb_gather_mmu+0x21/0x170
[ 6705.686660]  tlb_gather_mmu+0x12/0x40
[ 6705.687431]  free_ldt_pgtables.part.2+0x90/0x110
[ 6705.688372]  ? map_ldt_struct+0x4d0/0x4d0
[ 6705.689202]  ? run_rebalance_domains+0x170/0x170
[ 6705.690136]  ? ext4_empty_dir+0x1dd/0x420
[ 6705.690959]  ? __schedule+0x701/0xd90
[ 6705.691811]  free_ldt_pgtables+0x13/0x20
[ 6705.692616]  ldt_arch_exit_mmap+0xe/0x10
[ 6705.693421]  exit_mmap+0xeb/0x290
[ 6705.694101]  ? __ia32_sys_munmap+0x50/0x50
[ 6705.694937]  ? ext4_rmdir+0x1c2/0x750
[ 6705.695704]  ? exit_aio+0x98/0x230
[ 6705.696406]  ? __x32_compat_sys_io_submit+0x260/0x260
[ 6705.697445]  ? taskstats_exit+0x1f4/0x640
[ 6705.698267]  ? kasan_check_read+0x11/0x20
[ 6705.699085]  ? mm_update_next_owner+0x322/0x380
[ 6705.700017]  mmput+0x8b/0x1d0
[ 6705.700633]  do_exit+0x472/0x13c0
[ 6705.701318]  ? mm_update_next_owner+0x380/0x380
[ 6705.702243]  ? __ia32_sys_fallocate+0x60/0x60
[ 6705.703127]  ? getname_flags+0x110/0x2c0
[ 6705.703943]  ? __x64_sys_rmdir+0x24/0x30
[ 6705.704749]  rewind_stack_do_exit+0x17/0x20
[ 6705.705619] RIP: 0033:0x7f68377ca4d9
[ 6705.706358] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[ 6705.710080] RSP: 002b:00007ffe90ddedd8 EFLAGS: 00000286 ORIG_RAX:
0000000000000054
[ 6705.711602] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f68377ca4d9
[ 6705.713025] RDX: ffffffffffffff98 RSI: 00007f68377ca4d9 RDI:
00007ffe90ddee20
[ 6705.714452] RBP: 00007ffe90de0ed0 R08: 00007ffe90de0fb8 R09:
00007ffe90de0fb8
[ 6705.715890] R10: 00007ffe90de0fb8 R11: 0000000000000286 R12:
0000000000400530
[ 6705.717313] R13: 00007ffe90de0fb0 R14: 0000000000000000 R15:
0000000000000000

[ 6705.719070] The buggy address belongs to the page:
[ 6705.720063] page:ffffea0007c2b9c0 count:0 mapcount:0
mapping:0000000000000000 index:0x0
[ 6705.721663] flags: 0x2ffff0000000000()
[ 6705.722424] raw: 02ffff0000000000 0000000000000000 ffffea0007c2b988
0000000000000000
[ 6705.723977] raw: 0000000000000000 0000000000000000 00000000ffffffff
0000000000000000
[ 6705.725517] page dumped because: kasan: bad access detected

[ 6705.726953] Memory state around the buggy address:
[ 6705.727933]  ffff8801f0ae7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6705.729388]  ffff8801f0ae7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6705.730828] >ffff8801f0ae7b80: 00 f1 f1 f1 f1 f1 f1 f1 f1 f3 f3 00 00 00 00
00
[ 6705.732277]                                               ^
[ 6705.733397]  ffff8801f0ae7c00: 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3
f3
[ 6705.734852]  ffff8801f0ae7c80: f3 f4 f3 f3 f3 f3 00 00 f1 f1 f1 f1 00 00 00
00
[ 6705.736325]
==================================================================

Reported by Wen Xu (wen.xu@...ech.edu) from SSLab

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ