Bug 156811
| Summary: | Fuzzed image causes undefined behavior in btrfsck (qgroup-verify.c:find_parent_root()) | ||
|---|---|---|---|
| Product: | File System | Reporter: | Lukas Lueg (lukas.lueg) |
| Component: | btrfs | Assignee: | Josef Bacik (josef) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | dsterba |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 4.6.6-300.fc24-x86_64 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: |
Image exposing undefined behavior
UBSAN-log |
||
Created attachment 233401 [details]
UBSAN-log
UB fixed and better error handling in place, image added, thanks. Closing. |
Created attachment 233391 [details] Image exposing undefined behavior More news from the fuzzer. The attached image causes btrfsck to engage in undefined behavior; using btrfs-progs v4.7-42-g56e9586. You need to compile with UBSAN in order to reproduce. The juicy parts: qgroup-verify.c:333:15: runtime error: member access within null pointer of type 'struct ref' #0 0x88684f in find_parent_roots /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:333:15 #1 0x877a71 in account_all_refs /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:525:11 #2 0x87513b in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:1372:8 #3 0x536d3a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11637:9 #4 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8 #5 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730) #6 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188) We don't strictly need UBSAN as the error can be spotted by naked eye in find_parent_root(): The line "node = &ref->bytenr_node" gets a reference to a member of a NULL pointer before the pointer is checked against being NULL on the next line. It should be the other way around...