https://bugzilla.kernel.org/show_bug.cgi?id=200933 Bug ID: 200933 Summary: Divide zero in __ext4_check_dir_entry Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 278081 --> https://bugzilla.kernel.org/attachment.cgi?id=278081&action=edit The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t ext4 17.img mnt # gcc 17.c # ./a.out ./mnt - Kernel message [ 6687.218549] EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support! [ 6687.289272] [EXT4 FS bs=1024, gc=2, bpg=8192, ipg=2048, mo=a002c41c, mo2=0002] [ 6687.289342] System zones: 1-2, 130-1157, 8193-8194 [ 6687.289710] EXT4-fs (loop0): mounted filesystem with journalled data mode. Opts: (null) [ 6705.578120] divide error: 0000 [#1] SMP KASAN PTI [ 6705.579152] CPU: 1 PID: 1590 Comm: a.out Not tainted 4.18.0+ #9 [ 6705.580379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 6705.582323] RIP: 0010:__ext4_check_dir_entry+0x1aa/0x200 [ 6705.583411] Code: 18 e8 ca b1 e7 ff 48 8b 45 c8 31 d2 48 8b 75 c0 4d 89 f9 49 c7 c0 e0 95 94 a6 4c 89 e7 48 8b 48 18 8b 45 20 41 55 53 41 56 50 <f7> 75 18 52 8b 55 bc e8 6a 72 08 00 b8 01 00 00 00 48 83 c4 28 e9 [ 6705.587100] RSP: 0018:ffff8801f0ae7ac0 EFLAGS: 00010246 [ 6705.588177] RAX: 000000000000003c RBX: 000000000000000c RCX: 0000000000000286 [ 6705.589606] RDX: 0000000000000000 RSI: ffffffffa694cc00 RDI: ffff8801d1e2b478 [ 6705.591027] RBP: ffff8801f0ae7b28 R08: ffffffffa69495e0 R09: ffffffffa6949560 [ 6705.592458] R10: 0000000000000001 R11: ffffed003d690e36 R12: ffff8801d1e2b478 [ 6705.593878] R13: 0000000000000004 R14: 0000000000000011 R15: ffffffffa6949560 [ 6705.595306] FS: 00007f6837cae700(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000 [ 6705.596934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6705.598089] CR2: 00007f68377c0a90 CR3: 00000001e52c4000 CR4: 00000000000006e0 [ 6705.599538] Call Trace: [ 6705.600070] empty_inline_dir+0x22c/0x420 [ 6705.600897] ? ext4_delete_inline_entry+0x300/0x300 [ 6705.601888] ? __dquot_initialize+0xeb/0x5d0 [ 6705.602776] ? unlazy_walk+0xb8/0x150 [ 6705.603543] ext4_empty_dir+0x1dd/0x420 [ 6705.604344] ? apparmor_file_receive+0x80/0x80 [ 6705.605245] ? ext4_mkdir+0x6b0/0x6b0 [ 6705.606001] ext4_rmdir+0x1c2/0x750 [ 6705.606719] ? ext4_rename2+0x100/0x100 [ 6705.607529] ? lockref_get_not_dead+0x160/0x160 [ 6705.608451] ? may_delete+0x206/0x2b0 [ 6705.609201] vfs_rmdir+0x104/0x1b0 [ 6705.609902] do_rmdir+0x308/0x330 [ 6705.610587] ? __ia32_sys_mkdir+0x40/0x40 [ 6705.611424] ? do_faccessat+0x303/0x390 [ 6705.612212] ? __ia32_sys_fallocate+0x60/0x60 [ 6705.613104] ? getname_flags+0x110/0x2c0 [ 6705.613910] __x64_sys_rmdir+0x24/0x30 [ 6705.614684] do_syscall_64+0x78/0x170 [ 6705.615457] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 6705.616489] RIP: 0033:0x7f68377ca4d9 [ 6705.617223] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48 [ 6705.620927] RSP: 002b:00007ffe90ddedd8 EFLAGS: 00000286 ORIG_RAX: 0000000000000054 [ 6705.622442] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f68377ca4d9 [ 6705.623872] RDX: ffffffffffffff98 RSI: 00007f68377ca4d9 RDI: 00007ffe90ddee20 [ 6705.625294] RBP: 00007ffe90de0ed0 R08: 00007ffe90de0fb8 R09: 00007ffe90de0fb8 [ 6705.626721] R10: 00007ffe90de0fb8 R11: 0000000000000286 R12: 0000000000400530 [ 6705.628156] R13: 00007ffe90de0fb0 R14: 0000000000000000 R15: 0000000000000000 [ 6705.629591] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 6705.640196] ---[ end trace 754084f7e4b34756 ]--- [ 6705.641206] RIP: 0010:__ext4_check_dir_entry+0x1aa/0x200 [ 6705.642309] Code: 18 e8 ca b1 e7 ff 48 8b 45 c8 31 d2 48 8b 75 c0 4d 89 f9 49 c7 c0 e0 95 94 a6 4c 89 e7 48 8b 48 18 8b 45 20 41 55 53 41 56 50 <f7> 75 18 52 8b 55 bc e8 6a 72 08 00 b8 01 00 00 00 48 83 c4 28 e9 [ 6705.647143] RSP: 0018:ffff8801f0ae7ac0 EFLAGS: 00010246 [ 6705.648662] RAX: 000000000000003c RBX: 000000000000000c RCX: 0000000000000286 [ 6705.650450] RDX: 0000000000000000 RSI: ffffffffa694cc00 RDI: ffff8801d1e2b478 [ 6705.652001] RBP: ffff8801f0ae7b28 R08: ffffffffa69495e0 R09: ffffffffa6949560 [ 6705.653462] R10: 0000000000000001 R11: ffffed003d690e36 R12: ffff8801d1e2b478 [ 6705.654909] R13: 0000000000000004 R14: 0000000000000011 R15: ffffffffa6949560 [ 6705.656394] FS: 00007f6837cae700(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000 [ 6705.658025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6705.659188] CR2: 00007f68377c0a90 CR3: 00000001e52c4000 CR4: 00000000000006e0 [ 6705.660691] ================================================================== [ 6705.662169] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x21/0x170 [ 6705.663613] Write of size 8 at addr ffff8801f0ae7bc8 by task a.out/1590 [ 6705.665277] CPU: 1 PID: 1590 Comm: a.out Tainted: G D 4.18.0+ #9 [ 6705.666751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 6705.681196] Call Trace: [ 6705.681780] dump_stack+0x7b/0xb5 [ 6705.682469] print_address_description+0x70/0x290 [ 6705.683439] kasan_report+0x291/0x390 [ 6705.684193] ? arch_tlb_gather_mmu+0x21/0x170 [ 6705.685074] __asan_store8+0x57/0x90 [ 6705.685808] arch_tlb_gather_mmu+0x21/0x170 [ 6705.686660] tlb_gather_mmu+0x12/0x40 [ 6705.687431] free_ldt_pgtables.part.2+0x90/0x110 [ 6705.688372] ? map_ldt_struct+0x4d0/0x4d0 [ 6705.689202] ? run_rebalance_domains+0x170/0x170 [ 6705.690136] ? ext4_empty_dir+0x1dd/0x420 [ 6705.690959] ? __schedule+0x701/0xd90 [ 6705.691811] free_ldt_pgtables+0x13/0x20 [ 6705.692616] ldt_arch_exit_mmap+0xe/0x10 [ 6705.693421] exit_mmap+0xeb/0x290 [ 6705.694101] ? __ia32_sys_munmap+0x50/0x50 [ 6705.694937] ? ext4_rmdir+0x1c2/0x750 [ 6705.695704] ? exit_aio+0x98/0x230 [ 6705.696406] ? __x32_compat_sys_io_submit+0x260/0x260 [ 6705.697445] ? taskstats_exit+0x1f4/0x640 [ 6705.698267] ? kasan_check_read+0x11/0x20 [ 6705.699085] ? mm_update_next_owner+0x322/0x380 [ 6705.700017] mmput+0x8b/0x1d0 [ 6705.700633] do_exit+0x472/0x13c0 [ 6705.701318] ? mm_update_next_owner+0x380/0x380 [ 6705.702243] ? __ia32_sys_fallocate+0x60/0x60 [ 6705.703127] ? getname_flags+0x110/0x2c0 [ 6705.703943] ? __x64_sys_rmdir+0x24/0x30 [ 6705.704749] rewind_stack_do_exit+0x17/0x20 [ 6705.705619] RIP: 0033:0x7f68377ca4d9 [ 6705.706358] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48 [ 6705.710080] RSP: 002b:00007ffe90ddedd8 EFLAGS: 00000286 ORIG_RAX: 0000000000000054 [ 6705.711602] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f68377ca4d9 [ 6705.713025] RDX: ffffffffffffff98 RSI: 00007f68377ca4d9 RDI: 00007ffe90ddee20 [ 6705.714452] RBP: 00007ffe90de0ed0 R08: 00007ffe90de0fb8 R09: 00007ffe90de0fb8 [ 6705.715890] R10: 00007ffe90de0fb8 R11: 0000000000000286 R12: 0000000000400530 [ 6705.717313] R13: 00007ffe90de0fb0 R14: 0000000000000000 R15: 0000000000000000 [ 6705.719070] The buggy address belongs to the page: [ 6705.720063] page:ffffea0007c2b9c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 6705.721663] flags: 0x2ffff0000000000() [ 6705.722424] raw: 02ffff0000000000 0000000000000000 ffffea0007c2b988 0000000000000000 [ 6705.723977] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 6705.725517] page dumped because: kasan: bad access detected [ 6705.726953] Memory state around the buggy address: [ 6705.727933] ffff8801f0ae7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6705.729388] ffff8801f0ae7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6705.730828] >ffff8801f0ae7b80: 00 f1 f1 f1 f1 f1 f1 f1 f1 f3 f3 00 00 00 00 00 [ 6705.732277] ^ [ 6705.733397] ffff8801f0ae7c00: 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3 f3 [ 6705.734852] ffff8801f0ae7c80: f3 f4 f3 f3 f3 f3 00 00 f1 f1 f1 f1 00 00 00 00 [ 6705.736325] ================================================================== Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab -- You are receiving this mail because: You are watching the assignee of the bug.
