| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Dec 2015 09:42:47 +0100
From: conchur@....de
To: linux-btrfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Subject: btrfs: invalid stack access with Linux 4.3
Just got following with a a kernel with kasan enabled:
==================================================================
BUG: KASan: out of bounds on stack in setup_cluster_bitmap+0x8a4/0x9e0 [btrfs] at addr ffff8801cc73f488
Read of size 8 by task dpkg/2711
page:ffffea000731cfc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x2ffff8000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 2711 Comm: dpkg Not tainted 4.3.0-trunk-amd64 #1 Debian 4.3-1~exp2
Hardware name:
ffff8801cc73f488 0000000048c7fce0 ffff8801cc73f288 ffffffff81907207
ffff8801cc73f310 ffff8801cc73f300 ffffffff815509d8 ffff8800d470da28
ffff8800d470d910 0000000000000292 4431e091688b0454 ffff8800d470d908
Call Trace:
[<ffffffff81907207>] dump_stack+0x4b/0x64
[<ffffffff815509d8>] kasan_report_error+0x3b8/0x3f0
[<ffffffff81550bc1>] __asan_report_load8_noabort+0x61/0x70
[<ffffffffa0bf81a4>] ? setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
[<ffffffffa0bf81a4>] setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
[<ffffffffa0bfdee6>] btrfs_find_space_cluster+0x6b6/0xaa0 [btrfs]
[<ffffffffa0bfd830>] ? btrfs_alloc_from_cluster+0x880/0x880 [btrfs]
[<ffffffff8224bdd7>] ? _raw_spin_unlock+0x27/0x40
[<ffffffffa0afbc4e>] find_free_extent+0xeae/0x24d0 [btrfs]
[<ffffffffa0afada0>] ? btrfs_delalloc_reserve_space+0x60/0x60 [btrfs]
[<ffffffffa0ad1428>] ? get_alloc_profile+0x288/0x560 [btrfs]
[<ffffffffa0afd392>] btrfs_reserve_extent+0x122/0x360 [btrfs]
[<ffffffffa0afda0a>] btrfs_alloc_tree_block+0x43a/0xf60 [btrfs]
[<ffffffff81242a13>] ? __lock_acquire+0x1583/0x5290
[<ffffffffa0afd5d0>] ? btrfs_reserve_extent+0x360/0x360 [btrfs]
[<ffffffff81550106>] ? memcpy+0x36/0x40
[<ffffffffa0b98be1>] ? read_extent_buffer+0x101/0x230 [btrfs]
[<ffffffffa0ab8ff0>] __btrfs_cow_block+0x3b0/0x1130 [btrfs]
[<ffffffffa0bdda0e>] ? btrfs_tree_lock+0x2ce/0x6f0 [btrfs]
[<ffffffffa0ab8c40>] ? update_ref_for_cow+0x9d0/0x9d0 [btrfs]
[<ffffffffa0aba1aa>] btrfs_cow_block+0x28a/0x710 [btrfs]
[<ffffffffa0ac4568>] btrfs_search_slot+0x4f8/0x1e50 [btrfs]
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0ac4070>] ? split_leaf+0x1550/0x1550 [btrfs]
[<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
[<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
[<ffffffff8154ad69>] ? kmem_cache_alloc+0x1a9/0x280
[<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
[<ffffffffa0b0571c>] btrfs_update_root+0xbc/0x810 [btrfs]
[<ffffffff81240832>] ? mark_held_locks+0xd2/0x130
[<ffffffffa0b05660>] ? btrfs_set_root_node+0x250/0x250 [btrfs]
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0bed1f6>] btrfs_sync_log+0x776/0x1ec0 [btrfs]
[<ffffffffa0beca80>] ? btrfs_log_inode_parent+0x29a0/0x29a0 [btrfs]
[<ffffffff822471cc>] ? __mutex_unlock_slowpath+0x17c/0x2f0
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0b730e5>] btrfs_sync_file+0x845/0x9f0 [btrfs]
[<ffffffff81970440>] ? debug_object_active_state+0x370/0x370
[<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
[<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
[<ffffffff815c1241>] ? putname+0xc1/0xf0
[<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
[<ffffffff8162f1b2>] vfs_fsync_range+0xf2/0x290
[<ffffffff812927a7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[<ffffffff815e77a9>] ? __fget_light+0x139/0x200
[<ffffffff8162f3ad>] do_fsync+0x3d/0x70
[<ffffffff8162fad0>] SyS_fsync+0x10/0x20
[<ffffffff8224c936>] system_call_fast_compare_end+0xc/0x6c
Memory state around the buggy address:
ffff8801cc73f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cc73f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cc73f480: f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00
^
ffff8801cc73f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cc73f580: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
==================================================================
The thing I did was:
sudo dpkg -i linux-kbuild-4.3_4.3\~rc5-1\~exp2_amd64.deb linux-compiler-gcc-5-x86_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-amd64_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-common_4.3-1\~exp2_amd64.deb
config of the Kernel is attached. The rest of the kernel sources can be found here but have to be build with the attached config to get the kasan kernel:
dget http://snapshot.debian.org/archive/debian/20151106T162707Z/pool/main/l/linux/linux_4.3-1~exp1.dsc
Download attachment "config-4.3.0-trunk-amd64" of type "application/octet-stream" (172226 bytes)
Powered by blists - more mailing lists