lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1499939521.5335.11.camel@abdul.in.ibm.com>
Date:   Thu, 13 Jul 2017 15:22:01 +0530
From:   Abdul Haleem <abdhalee@...ux.vnet.ibm.com>
To:     linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org,
        sachinp <sachinp@...ux.vnet.ibm.com>,
        chandan <chandan@...ux.vnet.ibm.com>, viro@...iv.linux.org.uk
Subject: [mainline][ext2] fsfuzzer triggered WARNING: CPU: 1 PID: 72688 at
 fs/super.c:1244 mount_fs+0x200/0x220

Hi,

WARN() is being triggered when running fsfuzzer for ext2 file system on
powerpc machine running 4.12.0-rc1 kernel.

Machine : Power 8 bare-metal
Kernel :  4.12.0-rc1
gcc : 4.8.5
Test: fsfuzzer (https://github.com/stevegrubb/fsfuzzer)

trace:
-----
./run_test ext2 10
ext2 set sb->s_maxbytes to negative value (-537001984)
------------[ cut here ]------------
WARNING: CPU: 1 PID: 72688 at fs/super.c:1244 mount_fs+0x200/0x220
Modules linked in: cramfs iptable_mangle ipt_MASQUERADE
nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4
nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4
xt_tcpudp tun bridge stp llc kvm_hv kvm iptable_filter vmx_crypto
ipmi_powernv ipmi_devintf ipmi_msghandler powernv_rng leds_powernv
led_class rng_core powernv_op_panel binfmt_misc nfsd ip_tables x_tables
autofs4
CPU: 1 PID: 72688 Comm: mount Tainted: G        W       4.12.0-rc1-autotest #2
task: c0000007f3bb9d00 task.stack: c0000007f04cc000
NIP: c0000000002dbf60 LR: c0000000002dbf5c CTR: c0000000006e09e0
REGS: c0000007f04cf990 TRAP: 0700   Tainted: G        W        (4.12.0-rc1-autotest)
MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>
 CR: 22022822  XER: 20000000
CFAR: c0000000009a8868 SOFTE: 1 #012GPR00: c0000000002dbf5c
c0000007f04cfc10 c000000001050300 0000000000000036 #012GPR04:
c0000007ff54ada0 c0000007ff561838 0000000000000000 ffffffffffffffff
#012GPR08: 0000000000000000 c000000000d31664 00000007fe820000
9000000002803003 #012GPR12: 0000000000002200 c00000000fd40580
0000000032d09198 0000000032d09188 #012GPR16: 0000000032d079dc
ffffffffffffffff 0000000000000000 0000000032d050a0 #012GPR20:
0000010002b31290 0000000000000000 00000000c0ed0000 00007fffaa291efc
#012GPR24: 0000000000000000 0000000000000000 0000000000000000
0000000000000000 #012GPR28: 0000000000000000 c0000007bab9cfc0
c000000000fcead0 c0000007e236a000
NIP [c0000000002dbf60] mount_fs+0x200/0x220
LR [c0000000002dbf5c] mount_fs+0x1fc/0x220
Call Trace:
[c0000007f04cfc10] [c0000000002dbf5c] mount_fs+0x1fc/0x220 (unreliable)
[c0000007f04cfcc0] [c0000000003032cc] vfs_kern_mount+0x5c/0x180
[c0000007f04cfd10] [c000000000307c48] do_mount+0x278/0xee0
[c0000007f04cfde0] [c000000000308cb4] SyS_mount+0x94/0x100
[c0000007f04cfe30] [c00000000000b7e0] system_call+0x38/0xfc
Instruction dump:
4182fe84 4bffff70 60000000 60420000 3b800000 3b400000 4bfffe6c e89e0000
3c62ffb6 3863a5f0 486cc8d1 60000000 <0fe00000> 4bfffedc 60000000
60000000
---[ end trace 94263d5270c2cf71 ]---


from file fs/super.c in function mount_fs() a WARN() is being triggered.

   error = security_sb_kern_mount(sb, flags, secdata);
    if (error)
        goto out_sb;

    /*
     * filesystems should never set s_maxbytes larger than
MAX_LFS_FILESIZE
     * but s_maxbytes was an unsigned long long for many releases. Throw
     * this warning for a little while to try and catch filesystems that
     * violate this rule.
     */
>>> WARN((sb->s_maxbytes < 0), "%s set sb->s_maxbytes to "
        "negative value (%lld)\n", type->name, sb->s_maxbytes);

    up_write(&sb->s_umount);
    free_secdata(secdata);
    return root;

-- 
Regard's

Abdul Haleem
IBM Linux Technology Centre



View attachment "Tul-NV-config" of type "text/plain" (86717 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ