https://bugzilla.kernel.org/show_bug.cgi?id=200349 Bug ID: 200349 Summary: Invalid memory access in journal_read_transaction() when mounting a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 277003 --> https://bugzilla.kernel.org/attachment.cgi?id=277003&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 195.img mnt - Kernel message EISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 338.739130] REISERFS (device loop0): using ordered data mode [ 338.739136] reiserfs: using flush barriers [ 338.741145] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 16, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 338.743244] REISERFS (device loop0): checking transaction log (loop0) [ 339.204994] ================================================================== [ 339.208049] BUG: KASAN: null-ptr-deref in journal_init+0x1f01/0x2930 [ 339.209353] Read of size 8 at addr 0000000000000018 by task mount/1357 [ 339.211030] CPU: 1 PID: 1357 Comm: mount Not tainted 4.18.0-rc1+ #8 [ 339.211038] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 339.211047] Call Trace: [ 339.211088] dump_stack+0x7b/0xb5 [ 339.211117] kasan_report+0x10c/0x390 [ 339.211122] ? journal_init+0x1f01/0x2930 [ 339.211135] __asan_load8+0x54/0x90 [ 339.211140] journal_init+0x1f01/0x2930 [ 339.211147] ? journal_release_error+0x70/0x70 [ 339.211175] ? vprintk_default+0x3e/0x70 [ 339.211180] ? vprintk_func+0x27/0x60 [ 339.211184] ? printk+0xa3/0xd3 [ 339.211188] ? kmsg_dump_rewind_nolock+0x64/0x64 [ 339.211197] reiserfs_fill_super+0x78d/0x1550 [ 339.211202] ? finish_unfinished+0x940/0x940 [ 339.211215] ? netdev_bits+0x50/0x50 [ 339.211220] ? __asan_loadN+0xf/0x20 [ 339.211225] ? format_decode+0x2af/0x4a0 [ 339.211230] ? vsnprintf+0x55f/0x980 [ 339.211235] ? pointer+0x520/0x520 [ 339.211241] ? up_write+0x16/0x40 [ 339.211246] ? snprintf+0x96/0xd0 [ 339.211250] ? vsprintf+0x20/0x20 [ 339.211267] ? set_blocksize+0x90/0x140 [ 339.211278] mount_bdev+0x1c5/0x210 [ 339.211283] ? finish_unfinished+0x940/0x940 [ 339.211288] get_super_block+0x15/0x20 [ 339.211292] mount_fs+0x60/0x1a0 [ 339.211306] ? alloc_vfsmnt+0x309/0x360 [ 339.211312] vfs_kern_mount+0x6b/0x1a0 [ 339.211318] do_mount+0x34a/0x18c0 [ 339.211323] ? copy_mount_string+0x20/0x20 [ 339.211327] ? kasan_kmalloc+0xad/0xe0 [ 339.211333] ? kmem_cache_alloc_trace+0x102/0x200 [ 339.211338] ? copy_mount_options+0x4b/0x190 [ 339.211343] ? copy_mount_options+0xd5/0x190 [ 339.211348] ksys_mount+0x83/0xd0 [ 339.211353] __x64_sys_mount+0x67/0x80 [ 339.211371] do_syscall_64+0x78/0x170 [ 339.211388] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 339.211402] RIP: 0033:0x7fc54d740b9a [ 339.211403] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 339.211462] RSP: 002b:00007fffd8cf2ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 339.211472] RAX: ffffffffffffffda RBX: 00000000018d3030 RCX: 00007fc54d740b9a [ 339.211475] RDX: 00000000018d3210 RSI: 00000000018d4f50 RDI: 00000000018dbee0 [ 339.211477] RBP: 0000000000000000 R08: 00000000018d3230 R09: 0000000000000017 [ 339.211480] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 00000000018dbee0 [ 339.211482] R13: 00000000018d3210 R14: 0000000000000000 R15: 0000000000000005 [ 339.211486] ================================================================== [ 339.212976] Disabling lock debugging due to kernel taint [ 339.214526] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 [ 339.216252] PGD 80000001f3a5e067 P4D 80000001f3a5e067 PUD 1f0d21067 PMD 0 [ 339.217654] Oops: 0000 [#1] SMP KASAN PTI [ 339.218476] CPU: 0 PID: 1357 Comm: mount Tainted: G B 4.18.0-rc1+ #8 [ 339.220027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 339.221932] RIP: 0010:journal_init+0x1f08/0x2930 [ 339.222874] Code: f6 b9 08 00 00 00 e8 67 71 f3 ff 4c 89 e7 49 89 c5 e8 2c 0e e9 ff 49 8d 7d 18 4d 89 2c 24 e8 8f 0d e9 ff 48 8b bd c8 fe ff ff <4d> 8b 6d 18 e8 7f 0d e9 ff 4d 8b a7 08 04 00 00 49 8d 7c 24 08 e8 [ 339.226689] RSP: 0018:ffff8801de8f77e0 EFLAGS: 00010296 [ 339.227752] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 339.229199] RDX: 0000000000000000 RSI: 0000000000000297 RDI: ffff8801f0d95088 [ 339.230641] RBP: ffff8801de8f79f0 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 339.232091] R10: 0000000000000001 R11: ffffed003ede3eba R12: ffff8801f0c36a28 [ 339.233533] R13: 0000000000000000 R14: 000000000b002013 R15: ffff8801f0d94c80 [ 339.234976] FS: 00007fc54de60840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 339.236609] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 339.237765] CR2: 00007fb9e801e008 CR3: 00000001e3f64000 CR4: 00000000000006f0 [ 339.239492] Call Trace: [ 339.240077] ? journal_release_error+0x70/0x70 [ 339.240993] ? vprintk_default+0x3e/0x70 [ 339.241808] ? vprintk_func+0x27/0x60 [ 339.242571] ? printk+0xa3/0xd3 [ 339.243230] ? kmsg_dump_rewind_nolock+0x64/0x64 [ 339.244197] reiserfs_fill_super+0x78d/0x1550 [ 339.245100] ? finish_unfinished+0x940/0x940 [ 339.245984] ? netdev_bits+0x50/0x50 [ 339.246730] ? __asan_loadN+0xf/0x20 [ 339.247478] ? format_decode+0x2af/0x4a0 [ 339.248304] ? vsnprintf+0x55f/0x980 [ 339.249051] ? pointer+0x520/0x520 [ 339.249763] ? up_write+0x16/0x40 [ 339.250457] ? snprintf+0x96/0xd0 [ 339.251146] ? vsprintf+0x20/0x20 [ 339.251847] ? set_blocksize+0x90/0x140 [ 339.252644] mount_bdev+0x1c5/0x210 [ 339.253370] ? finish_unfinished+0x940/0x940 [ 339.254254] get_super_block+0x15/0x20 [ 339.255033] mount_fs+0x60/0x1a0 [ 339.255708] ? alloc_vfsmnt+0x309/0x360 [ 339.256516] vfs_kern_mount+0x6b/0x1a0 [ 339.257295] do_mount+0x34a/0x18c0 [ 339.258011] ? copy_mount_string+0x20/0x20 [ 339.258857] ? kasan_kmalloc+0xad/0xe0 [ 339.259632] ? kmem_cache_alloc_trace+0x102/0x200 [ 339.260602] ? copy_mount_options+0x4b/0x190 [ 339.261476] ? copy_mount_options+0xd5/0x190 [ 339.262349] ksys_mount+0x83/0xd0 [ 339.263036] __x64_sys_mount+0x67/0x80 [ 339.263821] do_syscall_64+0x78/0x170 [ 339.264583] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 339.265614] RIP: 0033:0x7fc54d740b9a [ 339.266347] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 339.270162] RSP: 002b:00007fffd8cf2ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 339.271681] RAX: ffffffffffffffda RBX: 00000000018d3030 RCX: 00007fc54d740b9a [ 339.273129] RDX: 00000000018d3210 RSI: 00000000018d4f50 RDI: 00000000018dbee0 [ 339.274568] RBP: 0000000000000000 R08: 00000000018d3230 R09: 0000000000000017 [ 339.276014] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 00000000018dbee0 [ 339.277450] R13: 00000000018d3210 R14: 0000000000000000 R15: 0000000000000005 [ 339.278890] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 339.289445] CR2: 0000000000000018 [ 339.290258] ---[ end trace 2e85051acb5f6dc1 ]--- [ 339.291219] RIP: 0010:journal_init+0x1f08/0x2930 [ 339.292314] Code: f6 b9 08 00 00 00 e8 67 71 f3 ff 4c 89 e7 49 89 c5 e8 2c 0e e9 ff 49 8d 7d 18 4d 89 2c 24 e8 8f 0d e9 ff 48 8b bd c8 fe ff ff <4d> 8b 6d 18 e8 7f 0d e9 ff 4d 8b a7 08 04 00 00 49 8d 7c 24 08 e8 [ 339.296306] RSP: 0018:ffff8801de8f77e0 EFLAGS: 00010296 [ 339.297378] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 339.298812] RDX: 0000000000000000 RSI: 0000000000000297 RDI: ffff8801f0d95088 [ 339.300290] RBP: ffff8801de8f79f0 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 339.301730] R10: 0000000000000001 R11: ffffed003ede3eba R12: ffff8801f0c36a28 [ 339.303159] R13: 0000000000000000 R14: 000000000b002013 R15: ffff8801f0d94c80 [ 339.304639] FS: 00007fc54de60840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 339.306266] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 339.307424] CR2: 00007fb9e801e008 CR3: 00000001e3f64000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/journal.c#L2229 if (real_blocks[i]->b_blocknr > SB_BLOCK_COUNT(sb)) { reiserfs_warning(sb, "journal-1207", "REPLAY FAILURE fsck required! " "Block to replay is outside of " "filesystem"); goto abort_replay; } real_blocks[i] points to invalid memory address... Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
