Re: Bug: slab-out-of-bounds Write in __bh_read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jan 13, 2025 at 5:12 PM Andrew Price <anprice@xxxxxxxxxx> wrote:
> On 13/01/2025 15:54, Kun Hu wrote:
> >
> >>
> >> 32generated_program.c memory maps the filesystem image, mounts it, and
> >> then modifies it through the memory map. It's those modifications that
> >> cause gfs2 to crash, so the test case is invalid.
> >>
> >> Is disabling CONFIG_BLK_DEV_WRITE_MOUNTED supposed to prevent that? If
> >> so, then it doesn't seem to be working.
> >>
> >> Thanks,
> >> Andreas
> >
> >
> >>   We have reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled to obtain the same crash log. The new crash log, along with C and Syzlang reproducers are provided below:
> >
> >> Crash log: https://drive.google.com/file/d/1FiCgo05oPheAt4sDQzRYTQwl0-CY6rvi/view?usp=sharing
> >> C reproducer: https://drive.google.com/file/d/1TTR9cquaJcMYER6vtYUGh3gOn_mROME4/view?usp=sharing
> >> Syzlang reproducer: https://drive.google.com/file/d/1R9QDUP2r7MI4kYMiT_yn-tzm6NqmcEW-/view?usp=sharing
> >
> > Hi Andreas,
> >
> > As per Jan's suggestion, we’ve successfully reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled. Should you require us to test this issue again, we are happy to do so.
> >
> FWIW the reproducer boils down to
>
>    #include <fcntl.h>
>    #include <unistd.h>
>    #include <sys/ioctl.h>
>    #include <linux/fs.h>
>
>    /*
>       mkfs.gfs2 -b 2048 -p lock_nolock $DEV
>       mount $DEV $MNT
>       cd $MNT
>       /path/to/this_test
>     */
>    int main(void)
>    {
>            unsigned flag = FS_JOURNAL_DATA_FL;
>            char buf[4102] = {0};
>            int fd;
>
>            /* Error checking omitted for clarity */
>            fd = open("f", O_CREAT|O_RDWR);
>            write(fd, buf, sizeof(buf));
>            ioctl(fd, FS_IOC_SETFLAGS, &flag);
>            write(fd, buf, sizeof(buf)); /* boom */
>            close(fd);
>            return 0;
>    }
>
> So it's switching the file to journaled data mode between two writes.
>
> The size of the writes seems to be relevant and the fs needs to be
> created with a 2K block size (I'm guessing it could reproduce with other
> combinations).

I've posted a fix and pushed it to for-next:

https://lore.kernel.org/gfs2/20250114175949.1196275-1-agruenba@xxxxxxxxxx/

Thanks for reporting!

Andreas
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux