[Bug 216283] New: FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent() when mount and operate on crafted image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=216283

            Bug ID: 216283
           Summary: FUZZ: BUG() triggered in
                    fs/ext4/extent.c:ext4_ext_insert_extent() when mount
                    and operate on crafted image
           Product: File System
           Version: 2.5
    Kernel Version: 5.15-5.19-rc8
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx
          Reporter: wenqingliu0120@xxxxxxxxx
        Regression: No

Created attachment 301487
  --> https://bugzilla.kernel.org/attachment.cgi?id=301487&action=edit
poc and .config

- Overview 
FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent()when mount
and operate on crafted image

- Reproduce 
Tested on kernel 5.15.57, 5.19-rc8

# mkdir test_crash
# cd test_crash 
# unzip tmp15.zip
# mkdir mnt
# ./single_test.sh ext4 15

-Kernel dump
[ 1524.446966] loop5: detected capacity change from 0 to 32768
[ 1524.536425] EXT4-fs (loop5): recovery complete
[ 1524.542174] EXT4-fs (loop5): mounted filesystem with ordered data mode.
Quota mode: none.
[ 1524.542850] ext4 filesystem being mounted at /home/wq/test_crashes/mnt
supports timestamps until 2038 (0x7fffffff)
[ 1524.849072] ------------[ cut here ]------------
[ 1524.849076] kernel BUG at fs/ext4/extents.c:1006!
[ 1524.849141] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 1524.849167] CPU: 0 PID: 1186 Comm: tmp15 Not tainted 5.19.0-rc8 #1
[ 1524.849193] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 1524.849228] RIP: 0010:ext4_ext_insert_extent+0x3b8e/0x43d0
[ 1524.849259] Code: df ba f7 03 00 00 48 c7 c6 e0 9b f8 8d 41 be 8b ff ff ff
e8 e4 20 12 00 e9 da f5 ff ff 4c 89 ff e8 a7 91 cf ff e9 a0 f4 ff ff <0f> 0b e8
1b 91 cf ff e9 49 f4 ff ff 44 0f b7 fa 50 49 c7 c1 e0 8f
[ 1524.849330] RSP: 0018:ffff88812689f5f8 EFLAGS: 00010286
[ 1524.849353] RAX: 00000000ffffffff RBX: ffff888105227aa8 RCX:
0000000000000000
[ 1524.849381] RDX: ffffffffffffffff RSI: 0000000000017ef8 RDI:
ffff888173197004
[ 1524.849410] RBP: ffff888105227986 R08: 0000000000000001 R09:
ffffed1020af02a9
[ 1524.849438] R10: ffff888105781547 R11: ffffed1020af02a8 R12:
0000000000001013
[ 1524.849466] R13: ffff888103723c58 R14: ffff888173197000 R15:
ffff888173197018
[ 1524.849494] FS:  00007f653cb8b540(0000) GS:ffff888293600000(0000)
knlGS:0000000000000000
[ 1524.849526] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1524.849549] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4:
0000000000370ef0
[ 1524.849579] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 1524.849610] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 1524.849638] Call Trace:
[ 1524.849650]  <TASK>
[ 1524.849661]  ? ext4_discard_preallocations+0xd70/0xd70
[ 1524.849686]  ? ext4_ext_shift_extents+0xc50/0xc50
[ 1524.849707]  ? ext4_ext_search_right+0x822/0xc20
[ 1524.849728]  ? _raw_spin_unlock_irqrestore+0x23/0x40
[ 1524.849750]  ext4_ext_map_blocks+0xc86/0x3710
[ 1524.849771]  ? ext4_ext_release+0x10/0x10
[ 1524.849789]  ? do_writepages+0x170/0x590
[ 1524.849819]  ? __filemap_fdatawrite_range+0xa7/0xe0
[ 1524.849859]  ? ext4_sync_file+0x18a/0x9b0
[ 1524.849895]  ? do_fsync+0x38/0x70
[ 1524.849928]  ? __x64_sys_fdatasync+0x32/0x50
[ 1524.849965]  ? mpage_process_page_bufs+0xe8/0x5b0
[ 1524.850005]  ? __pagevec_release+0x7f/0x110
[ 1524.850042]  ? down_write_killable+0x130/0x130
[ 1524.850080]  ? ext4_es_lookup_extent+0x3ae/0x960
[ 1524.850104]  ext4_map_blocks+0x600/0x1460
[ 1524.850123]  ? ext4_issue_zeroout+0x190/0x190
[ 1524.850142]  ? __kasan_slab_alloc+0x90/0xc0
[ 1524.850163]  ext4_writepages+0xffa/0x25e0
[ 1524.850182]  ? __ext4_mark_inode_dirty+0x5f0/0x5f0
[ 1524.850204]  ? __stack_depot_save+0x34/0x540
[ 1524.850223]  ? _raw_spin_lock+0x87/0xda
[ 1524.850245]  ? _raw_spin_lock_irqsave+0xf0/0xf0
[ 1524.850283]  ? kmem_cache_free+0xd3/0x3b0
[ 1524.850320]  ? do_syscall_64+0x38/0x90
[ 1524.851019]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 1524.851716]  do_writepages+0x170/0x590
[ 1524.852415]  ? page_writeback_cpu_online+0x20/0x20
[ 1524.853162]  ? avc_has_extended_perms+0xe70/0xe70
[ 1524.853848]  ? may_linkat+0x310/0x310
[ 1524.854524]  ? _raw_spin_lock+0x87/0xda
[ 1524.855182]  ? _raw_spin_lock_irqsave+0xf0/0xf0
[ 1524.855824]  ? wbc_attach_and_unlock_inode+0x21/0x590
[ 1524.856449]  filemap_fdatawrite_wbc+0x11d/0x190
[ 1524.857095]  __filemap_fdatawrite_range+0xa7/0xe0
[ 1524.857686]  ? delete_from_page_cache_batch+0x950/0x950
[ 1524.858274]  ? do_faccessat+0x1d2/0x630
[ 1524.858855]  ? kmem_cache_free+0xd3/0x3b0
[ 1524.859434]  file_write_and_wait_range+0x92/0x100
[ 1524.860013]  ext4_sync_file+0x18a/0x9b0
[ 1524.860587]  do_fsync+0x38/0x70
[ 1524.861193]  __x64_sys_fdatasync+0x32/0x50
[ 1524.861744]  do_syscall_64+0x38/0x90
[ 1524.862284]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 1524.862832] RIP: 0033:0x7f653cab073d
[ 1524.863388] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48
[ 1524.864581] RSP: 002b:00007ffe69164218 EFLAGS: 00000217 ORIG_RAX:
000000000000004b
[ 1524.865245] RAX: ffffffffffffffda RBX: 000055c5c050b720 RCX:
00007f653cab073d
[ 1524.865868] RDX: 00007f653cab073d RSI: ffffffffffffff80 RDI:
0000000000000004
[ 1524.866499] RBP: 00007ffe69168b80 R08: 00007ffe69168c78 R09:
00007ffe69168c78
[ 1524.867134] R10: 00007ffe69168c78 R11: 0000000000000217 R12:
000055c5c050b0a0
[ 1524.867770] R13: 00007ffe69168c70 R14: 0000000000000000 R15:
0000000000000000
[ 1524.868404]  </TASK>
[ 1524.869048] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg xfs
autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper
hid_generic usbhid syscopyarea sysfillrect sysimgblt fb_sys_fops hid drm
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel psmouse
crypto_simd cryptd
[ 1524.871971] ---[ end trace 0000000000000000 ]---
[ 1524.872717] RIP: 0010:ext4_ext_insert_extent+0x3b8e/0x43d0
[ 1524.873715] Code: df ba f7 03 00 00 48 c7 c6 e0 9b f8 8d 41 be 8b ff ff ff
e8 e4 20 12 00 e9 da f5 ff ff 4c 89 ff e8 a7 91 cf ff e9 a0 f4 ff ff <0f> 0b e8
1b 91 cf ff e9 49 f4 ff ff 44 0f b7 fa 50 49 c7 c1 e0 8f
[ 1524.875375] RSP: 0018:ffff88812689f5f8 EFLAGS: 00010286
[ 1524.876222] RAX: 00000000ffffffff RBX: ffff888105227aa8 RCX:
0000000000000000
[ 1524.877110] RDX: ffffffffffffffff RSI: 0000000000017ef8 RDI:
ffff888173197004
[ 1524.877964] RBP: ffff888105227986 R08: 0000000000000001 R09:
ffffed1020af02a9
[ 1524.878829] R10: ffff888105781547 R11: ffffed1020af02a8 R12:
0000000000001013
[ 1524.879684] R13: ffff888103723c58 R14: ffff888173197000 R15:
ffff888173197018
[ 1524.880561] FS:  00007f653cb8b540(0000) GS:ffff888293600000(0000)
knlGS:0000000000000000
[ 1524.881491] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1524.882372] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4:
0000000000370ef0
[ 1524.883270] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 1524.884182] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 1524.885084] ------------[ cut here ]------------
[ 1524.885972] WARNING: CPU: 0 PID: 1186 at kernel/exit.c:741
do_exit+0x1798/0x2740
[ 1524.886885] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg xfs
autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper
hid_generic usbhid syscopyarea sysfillrect sysimgblt fb_sys_fops hid drm
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel psmouse
crypto_simd cryptd
[ 1524.890831] CPU: 0 PID: 1186 Comm: tmp15 Tainted: G      D          
5.19.0-rc8 #1
[ 1524.891858] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 1524.892918] RIP: 0010:do_exit+0x1798/0x2740
[ 1524.893959] Code: c0 74 08 3c 03 0f 8e cc 0c 00 00 8b 83 48 13 00 00 65 01
05 7a 59 aa 74 e9 92 fc ff ff 48 89 df e8 fd 77 28 00 e9 ec ee ff ff <0f> 0b e9
fa e8 ff ff 4c 89 e6 bf 05 06 00 00 e8 d4 72 02 00 e9 b2
[ 1524.896142] RSP: 0018:ffff88812689fe48 EFLAGS: 00010286
[ 1524.897245] RAX: 1ffff11024d12815 RBX: ffff888126893400 RCX:
0000000000000000
[ 1524.898357] RDX: dffffc0000000000 RSI: 0000000000000000 RDI:
ffff8881268940a8
[ 1524.899473] RBP: ffff888126893400 R08: 0000000000000041 R09:
ffffed1024d13000
[ 1524.900604] R10: ffff88829362848b R11: ffffed10526c5091 R12:
000000000000000b
[ 1524.901737] R13: ffffffff8de22ac0 R14: ffff888126893400 R15:
0000000000000000
[ 1524.902863] FS:  00007f653cb8b540(0000) GS:ffff888293600000(0000)
knlGS:0000000000000000
[ 1524.904014] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1524.905156] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4:
0000000000370ef0
[ 1524.906287] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 1524.907395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 1524.908495] Call Trace:
[ 1524.909570]  <TASK>
[ 1524.910628]  ? file_write_and_wait_range+0x92/0x100
[ 1524.911697]  ? mm_update_next_owner+0x6e0/0x6e0
[ 1524.912777]  ? ext4_sync_file+0x18a/0x9b0
[ 1524.913849]  make_task_dead+0xb0/0xc0
[ 1524.914904]  rewind_stack_and_make_dead+0x17/0x17
[ 1524.915952] RIP: 0033:0x7f653cab073d
[ 1524.916963] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48
[ 1524.918998] RSP: 002b:00007ffe69164218 EFLAGS: 00000217 ORIG_RAX:
000000000000004b
[ 1524.920032] RAX: ffffffffffffffda RBX: 000055c5c050b720 RCX:
00007f653cab073d
[ 1524.921062] RDX: 00007f653cab073d RSI: ffffffffffffff80 RDI:
0000000000000004
[ 1524.922070] RBP: 00007ffe69168b80 R08: 00007ffe69168c78 R09:
00007ffe69168c78
[ 1524.923061] R10: 00007ffe69168c78 R11: 0000000000000217 R12:
000055c5c050b0a0
[ 1524.924051] R13: 00007ffe69168c70 R14: 0000000000000000 R15:
0000000000000000
[ 1524.925023]  </TASK>
[ 1524.925975] ---[ end trace 0000000000000000 ]---

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux