[Bug 199179] New: Invalid pointer reference when mounting crafted ext4 image in ext4_process_freed_data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=199179

            Bug ID: 199179
           Summary: Invalid pointer reference when mounting crafted ext4
                    image in ext4_process_freed_data
           Product: File System
           Version: 2.5
    Kernel Version: 4.15.x
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx
          Reporter: wen.xu@xxxxxxxxxx
        Regression: No

Created attachment 274875
  --> https://bugzilla.kernel.org/attachment.cgi?id=274875&action=edit
The crafted image which causes kernel panic

- Overview
Invalid pointer deference happen when mounting the crafted image.

- Reproduce
Needs kernel 4.15 (also successful on 4.10)
$ mkdir mnt
$ sudo mount -t ext4 83.img mnt

- Reason
https://elixir.bootlin.com/linux/v4.15/source/fs/ext4/mballoc.c#L2874
entry can be NULL, which means a list node points to NULL. 
Perhaps a use-after-free bug?

- Kernel dump
[  329.292108] EXT4-fs (loop0): barriers disabled
[  329.292247] JBD2: Clearing recovery information on journal
[  329.293613] EXT4-fs (loop0): corrupt root inode, run e2fsck
[  329.293727] EXT4-fs error (device loop0): ext4_free_inode:308: comm mount:
reserved or nonexistent inode 2
[  329.294052] EXT4-fs (loop0): mount failed
[  329.295260] BUG: unable to handle kernel NULL pointer dereference at
0000000000000034
[  329.295290] IP: ext4_process_freed_data+0x68/0x4d0
[  329.295304] PGD 0 P4D 0
[  329.295314] Oops: 0000 [#1] SMP PTI
[  329.295325] Modules linked in: vmw_balloon coretemp intel_rapl_perf
input_leds joydev serio_raw snd_ens1371 btusb snd_ac97_codec uvcvideo btrtl
videobuf2_vmalloc btbcm btintel gameport snd_rawmidi videobuf2_memops bluetooth
videobuf2_v4l2 videobuf2_core snd_seq_device ac97_bus snd_pcm videodev media
ecdh_generic snd_timer snd soundcore shpchp mac_hid vmw_vsock_vmci_transport
vsock vmw_vmci sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp
libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs
zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid
hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel
aes_x86_64 crypto_simd glue_helper cryptd vmwgfx
[  329.295661]  psmouse ttm drm_kms_helper mptspi mptscsih ahci libahci e1000
mptbase scsi_transport_spi syscopyarea sysfillrect sysimgblt fb_sys_fops drm
i2c_piix4 pata_acpi
[  329.295712] CPU: 0 PID: 1112 Comm: mount Not tainted 4.15.0-12-generic
#13-Ubuntu
[  329.295732] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[  329.295763] RIP: 0010:ext4_process_freed_data+0x68/0x4d0
[  329.295778] RSP: 0018:ffffb907416e39d0 EFLAGS: 00010207
[  329.295794] RAX: 0000000000000000 RBX: ffff8b4bb91a1800 RCX:
ffff8b4bb91a4aa0
[  329.295813] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
ffff8b4bb91a4a80
[  329.295832] RBP: ffffb907416e3a58 R08: 0000000000000000 R09:
ffff8b4bb8dc9d88
[  329.295852] R10: 0000000000000228 R11: 00000000000001b0 R12:
0000000000000006
[  329.295872] R13: ffff8b4bb91a4800 R14: ffffb907416e39e0 R15:
ffff8b4bb91a4a80
[  329.295891] FS:  00007fbd17943080(0000) GS:ffff8b4bbc600000(0000)
knlGS:0000000000000000
[  329.295913] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  329.295929] CR2: 0000000000000034 CR3: 000000003686e004 CR4:
00000000001606f0
[  329.295991] Call Trace:
[  329.296005]  ? __set_page_dirty+0x9b/0xc0
[  329.296624]  ext4_journal_commit_callback+0x4d/0xd0
[  329.297198]  jbd2_journal_commit_transaction+0x1531/0x1720
[  329.297772]  jbd2_journal_destroy+0xdd/0x2a0
[  329.298362]  ? jbd2_journal_destroy+0xdd/0x2a0
[  329.298910]  ? wait_woken+0x80/0x80
[  329.299408]  ext4_fill_super+0x1cb9/0x2fb0
[  329.299890]  ? snprintf+0x45/0x70
[  329.300360]  mount_bdev+0x248/0x290
[  329.300833]  ? ext4_calculate_overhead+0x490/0x490
[  329.301260]  ? mount_bdev+0x248/0x290
[  329.301684]  ? ext4_calculate_overhead+0x490/0x490
[  329.302100]  ext4_mount+0x15/0x20
[  329.302515]  mount_fs+0x37/0x150
[  329.302907]  ? alloc_vfsmnt+0x1b3/0x230
[  329.303302]  vfs_kern_mount.part.23+0x5d/0x110
[  329.303685]  do_mount+0x5ed/0xcf0
[  329.304057]  ? memdup_user+0x4f/0x80
[  329.304418]  SyS_mount+0x98/0xe0
[  329.304768]  do_syscall_64+0x73/0x130
[  329.305110]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  329.305438] RIP: 0033:0x7fbd172073ca
[  329.305752] RSP: 002b:00007ffde39c6a08 EFLAGS: 00000202 ORIG_RAX:
00000000000000a5
[  329.306154] RAX: ffffffffffffffda RBX: 000055d22d08ca40 RCX:
00007fbd172073ca
[  329.306556] RDX: 000055d22d08cc20 RSI: 000055d22d08e940 RDI:
000055d22d095fe0
[  329.306951] RBP: 0000000000000000 R08: 0000000000000000 R09:
000055d22d08cc40
[  329.307408] R10: 00000000c0ed0000 R11: 0000000000000202 R12:
000055d22d095fe0
[  329.307717] R13: 000055d22d08cc20 R14: 0000000000000000 R15:
00007fbd177288a4
[  329.307987] Code: c0 4c 89 75 90 4c 89 75 88 4d 8d bd 80 02 00 00 4c 89 ff
e8 cb 8e 66 00 49 8b b5 a0 02 00 00 49 8d 8d a0 02 00 00 48 39 ce 74 7b <44> 3b
66 34 75 75 48 89 f7 48 89 f2 eb 09 44 39 62 34 75 0b 48
[  329.308923] RIP: ext4_process_freed_data+0x68/0x4d0 RSP: ffffb907416e39d0
[  329.309365] CR2: 0000000000000034
[  329.309812] ---[ end trace 1ecf08f3cdf242f0 ]---

- Download

-- 
You are receiving this mail because:
You are watching the assignee of the bug.



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux