| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Apr 2018 03:41:04 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 199335] New: BUG() in ext4_mb_normalize_request when mounting
and operating on a crafted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=199335
Bug ID: 199335
Summary: BUG() in ext4_mb_normalize_request when mounting and
operating on a crafted ext4 image
Product: File System
Version: 2.5
Kernel Version: 4.4.x
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@...nel-bugs.osdl.org
Reporter: wen.xu@...ech.edu
Regression: No
Created attachment 275259
--> https://bugzilla.kernel.org/attachment.cgi?id=275259&action=edit
The crafted image which causes kernel panic
- Overview
BUG() is triggered in ext4_mb_normalize_request() when mounting and operating
on a crafted ext4 image
- Reproduce
# mkdir mnt
# mount -t ext4 9.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
- Location
https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L3159
- Kernel Dump
[ 283.633619] EXT4-fs (loop0): feature flags set on rev 0 fs, running e2fsck
is recommended
[ 283.633623] EXT4-fs (loop0): Couldn't mount because of unsupported optional
features (4400)
[ 583.745647] EXT4-fs (loop0): mounted filesystem with ordered data mode.
Opts: (null)
[ 588.049508] EXT4-fs error (device loop0): ext4_init_inode_table:1337: comm
ext4lazyinit: Something is wrong with group 15: used itable blocks: -8159;
itable unused count: 65535
[ 590.162854] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
5, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[ 590.162970] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
24, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[ 590.163023] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
25, block bitmap and bg descriptor inconsistent: 32 vs 256 free clusters
[ 590.163076] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
28, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[ 590.163128] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
29, block bitmap and bg descriptor inconsistent: 32 vs 20 free clusters
[ 590.163356] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters
[ 590.163444] EXT4-fs error (device loop0): ext4_mb_complex_scan_group:1972:
group 43, 32 free clusters as per group info. But got 512 blocks
[ 590.163498] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group
62, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[ 590.163699] ------------[ cut here ]------------
[ 590.163718] kernel BUG at fs/ext4/mballoc.c:3159!
[ 590.163737] invalid opcode: 0000 [#1] SMP
[ 590.163756] Modules linked in: vmw_vsock_vmci_transport vsock snd_ens1371
snd_ac97_codec vmw_balloon ac97_bus uvcvideo snd_pcm coretemp gameport
videobuf2_vmalloc snd_timer videobuf2_memops snd_rawmidi btusb videobuf2_v4l2
btrtl btbcm btintel snd_seq_device videobuf2_core bluetooth joydev v4l2_common
snd input_leds serio_raw videodev media soundcore vmw_vmci shpchp i2c_piix4
8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr
iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10
raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx
xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx
drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt crc32_pclmul
ghash_clmulni_intel fb_sys_fops ttm aesni_intel aes_x86_64
[ 590.169012] glue_helper lrw gf128mul ablk_helper drm cryptd e1000 mptspi
psmouse scsi_transport_spi mptscsih ahci libahci pata_acpi mptbase fjes
[ 590.170490] CPU: 0 PID: 32509 Comm: poc Not tainted 4.4.124 #4
[ 590.171195] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 590.172573] task: ffff880033af4600 ti: ffff880081064000 task.ti:
ffff880081064000
[ 590.173249] RIP: 0010:[<ffffffff892cf59a>] [<ffffffff892cf59a>]
ext4_mb_normalize_request.constprop.29+0x25a/0x4d0
[ 590.174630] RSP: 0018:ffff880081067770 EFLAGS: 00010246
[ 590.175298] RAX: 0000000000000020 RBX: ffff8801261013d8 RCX:
0000000000000020
[ 590.175940] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
0000000000000020
[ 590.176591] RBP: ffff8800810677c0 R08: 000000000000000a R09:
0000000000000001
[ 590.177310] R10: 0000000000000001 R11: ffffea00028f8700 R12:
ffff8800ba95e000
[ 590.177980] R13: ffff8800b959e410 R14: 0000000000000000 R15:
ffff8800b959e440
[ 590.178607] FS: 00007f6258042700(0000) GS:ffff880139600000(0000)
knlGS:0000000000000000
[ 590.179255] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 590.179934] CR2: 00000000006fd158 CR3: 0000000034528000 CR4:
0000000000160670
[ 590.180632] Stack:
[ 590.181297] ffff8800810678e8 ffff880126101188 ffffffff892cef42
ffff8800ba3ac800
[ 590.181966] 00000020948cd7fc ffff8800ba3ac800 ffff8800810678e4
ffff8800ba3a8800
[ 590.182871] ffff8800810678e8 ffff8800ba95e000 ffff880081067870
ffffffff892d5b7e
[ 590.183472] Call Trace:
[ 590.184024] [<ffffffff892cef42>] ? ext4_mb_initialize_context+0x82/0x1b0
[ 590.184573] [<ffffffff892d5b7e>] ext4_mb_new_blocks+0x5de/0xad0
[ 590.185124] [<ffffffff8924478a>] ? __find_get_block+0xaa/0x120
[ 590.185703] [<ffffffff89244acb>] ? __getblk_gfp+0x2b/0x60
[ 590.186239] [<ffffffff892da07c>] ? ext4_get_branch+0xbc/0x130
[ 590.186757] [<ffffffff892db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[ 590.187315] [<ffffffff891ae71c>] ? zone_statistics+0x7c/0xa0
[ 590.187828] [<ffffffff891957a8>] ? free_hot_cold_page_list+0x48/0xb0
[ 590.188352] [<ffffffff8929a3d4>] ext4_map_blocks+0x2c4/0x570
[ 590.188845] [<ffffffff891ebb9c>] ? kmem_cache_alloc+0x1cc/0x1f0
[ 590.189324] [<ffffffff8929a73e>] _ext4_get_block+0xbe/0x220
[ 590.189833] [<ffffffff8929a8b6>] ext4_get_block+0x16/0x20
[ 590.190287] [<ffffffff89245e82>] __block_write_begin+0x172/0x480
[ 590.190730] [<ffffffff8929a8a0>] ? _ext4_get_block+0x220/0x220
[ 590.191163] [<ffffffff892cd2cd>] ? __ext4_journal_start_sb+0x6d/0x120
[ 590.191587] [<ffffffff8929ea5a>] ext4_write_begin+0x19a/0x440
[ 590.192033] [<ffffffff8929ef9e>] ext4_da_write_begin+0x29e/0x340
[ 590.192453] [<ffffffff8929fad7>] ? ext4_da_write_end+0x267/0x2c0
[ 590.192871] [<ffffffff8918defe>] generic_perform_write+0xce/0x1d0
[ 590.193286] [<ffffffff8918fc92>] __generic_file_write_iter+0x1a2/0x1e0
[ 590.193922] [<ffffffff8922990e>] ? atime_needs_update+0x4e/0xc0
[ 590.194329] [<ffffffff89293a22>] ext4_file_write_iter+0x102/0x470
[ 590.194975] [<ffffffff8921d4d5>] ? do_filp_open+0xa5/0x100
[ 590.195730] [<ffffffff8920ca42>] __vfs_write+0xd2/0x120
[ 590.196366] [<ffffffff8920d0c9>] vfs_write+0xa9/0x1a0
[ 590.196871] [<ffffffff8920dd85>] SyS_write+0x55/0xc0
[ 590.197559] [<ffffffff897fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[ 590.198059] Code: 00 00 8b 49 54 d3 e0 89 c1 01 f1 39 f9 76 08 39 fe 0f 86
e3 01 00 00 41 39 ce 73 25 3b 75 d4 73 20 41 39 f6 72 07 3b 4d d4 72 02 <0f> 0b
39 f9 0f 87 52 01 00 00 41 39 ce 0f 87 af 01 00 00 41 89
[ 590.199920] RIP [<ffffffff892cf59a>]
ext4_mb_normalize_request.constprop.29+0x25a/0x4d0
[ 590.200456] RSP <ffff880081067770>
[ 590.201039] ---[ end trace 994aa9e5cf950be0 ]---
Reported by Wen Xu from SSLab, Gatech
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists