lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <trinity-c7a088d8-bb35-484e-bf27-dbd9a94a804c-1448959367092@3capp-webde-bs56>
Date:	Tue, 1 Dec 2015 09:42:47 +0100
From:	conchur@....de
To:	linux-btrfs@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org
Subject: btrfs: invalid stack access with Linux 4.3

Just got following with a a kernel with kasan enabled:

==================================================================
BUG: KASan: out of bounds on stack in setup_cluster_bitmap+0x8a4/0x9e0 [btrfs] at addr ffff8801cc73f488
Read of size 8 by task dpkg/2711
page:ffffea000731cfc0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x2ffff8000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 2711 Comm: dpkg Not tainted 4.3.0-trunk-amd64 #1 Debian 4.3-1~exp2
Hardware name: 
 ffff8801cc73f488 0000000048c7fce0 ffff8801cc73f288 ffffffff81907207
 ffff8801cc73f310 ffff8801cc73f300 ffffffff815509d8 ffff8800d470da28
 ffff8800d470d910 0000000000000292 4431e091688b0454 ffff8800d470d908
Call Trace:
 [<ffffffff81907207>] dump_stack+0x4b/0x64
 [<ffffffff815509d8>] kasan_report_error+0x3b8/0x3f0
 [<ffffffff81550bc1>] __asan_report_load8_noabort+0x61/0x70
 [<ffffffffa0bf81a4>] ? setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
 [<ffffffffa0bf81a4>] setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
 [<ffffffffa0bfdee6>] btrfs_find_space_cluster+0x6b6/0xaa0 [btrfs]
 [<ffffffffa0bfd830>] ? btrfs_alloc_from_cluster+0x880/0x880 [btrfs]
 [<ffffffff8224bdd7>] ? _raw_spin_unlock+0x27/0x40
 [<ffffffffa0afbc4e>] find_free_extent+0xeae/0x24d0 [btrfs]
 [<ffffffffa0afada0>] ? btrfs_delalloc_reserve_space+0x60/0x60 [btrfs]
 [<ffffffffa0ad1428>] ? get_alloc_profile+0x288/0x560 [btrfs]
 [<ffffffffa0afd392>] btrfs_reserve_extent+0x122/0x360 [btrfs]
 [<ffffffffa0afda0a>] btrfs_alloc_tree_block+0x43a/0xf60 [btrfs]
 [<ffffffff81242a13>] ? __lock_acquire+0x1583/0x5290
 [<ffffffffa0afd5d0>] ? btrfs_reserve_extent+0x360/0x360 [btrfs]
 [<ffffffff81550106>] ? memcpy+0x36/0x40
 [<ffffffffa0b98be1>] ? read_extent_buffer+0x101/0x230 [btrfs]
 [<ffffffffa0ab8ff0>] __btrfs_cow_block+0x3b0/0x1130 [btrfs]
 [<ffffffffa0bdda0e>] ? btrfs_tree_lock+0x2ce/0x6f0 [btrfs]
 [<ffffffffa0ab8c40>] ? update_ref_for_cow+0x9d0/0x9d0 [btrfs]
 [<ffffffffa0aba1aa>] btrfs_cow_block+0x28a/0x710 [btrfs]
 [<ffffffffa0ac4568>] btrfs_search_slot+0x4f8/0x1e50 [btrfs]
 [<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffffa0ac4070>] ? split_leaf+0x1550/0x1550 [btrfs]
 [<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
 [<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
 [<ffffffff8154ad69>] ? kmem_cache_alloc+0x1a9/0x280
 [<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
 [<ffffffffa0b0571c>] btrfs_update_root+0xbc/0x810 [btrfs]
 [<ffffffff81240832>] ? mark_held_locks+0xd2/0x130
 [<ffffffffa0b05660>] ? btrfs_set_root_node+0x250/0x250 [btrfs]
 [<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffffa0bed1f6>] btrfs_sync_log+0x776/0x1ec0 [btrfs]
 [<ffffffffa0beca80>] ? btrfs_log_inode_parent+0x29a0/0x29a0 [btrfs]
 [<ffffffff822471cc>] ? __mutex_unlock_slowpath+0x17c/0x2f0
 [<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffffa0b730e5>] btrfs_sync_file+0x845/0x9f0 [btrfs]
 [<ffffffff81970440>] ? debug_object_active_state+0x370/0x370
 [<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
 [<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
 [<ffffffff815c1241>] ? putname+0xc1/0xf0
 [<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
 [<ffffffff8162f1b2>] vfs_fsync_range+0xf2/0x290
 [<ffffffff812927a7>] ? debug_lockdep_rcu_enabled+0x77/0x90
 [<ffffffff815e77a9>] ? __fget_light+0x139/0x200
 [<ffffffff8162f3ad>] do_fsync+0x3d/0x70
 [<ffffffff8162fad0>] SyS_fsync+0x10/0x20
 [<ffffffff8224c936>] system_call_fast_compare_end+0xc/0x6c
Memory state around the buggy address:
 ffff8801cc73f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cc73f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cc73f480: f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00
                      ^
 ffff8801cc73f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cc73f580: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
==================================================================

The thing I did was:

sudo dpkg -i linux-kbuild-4.3_4.3\~rc5-1\~exp2_amd64.deb linux-compiler-gcc-5-x86_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-amd64_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-common_4.3-1\~exp2_amd64.deb

config of the Kernel is attached. The rest of the kernel sources can be found here but have to be build with the attached config to get the kasan kernel: 

dget http://snapshot.debian.org/archive/debian/20151106T162707Z/pool/main/l/linux/linux_4.3-1~exp1.dsc
Download attachment "config-4.3.0-trunk-amd64" of type "application/octet-stream" (172226 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ