Bug 169311

Summary: Fuzzed image causes heap-buffer-overflow in btrfsck (crc32.c:crc32c_intel)
Product: File System Reporter: Lukas Lueg (lukas.lueg)
Component: btrfsAssignee: Josef Bacik (josef)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.6.6-300.fc24-x86_64 Subsystem:
Regression: No Bisected commit-id:
Attachments: Image causing heap-buffer-overflow
ASAN-log

Description Lukas Lueg 2016-09-18 09:23:44 UTC 
Created attachment 238581 [details]
Image causing heap-buffer-overflow

More news from the fuzzer. The attached image causes a heap-buffer-overflow when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013


==32491==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf5c at pc 0x000000614b63 bp 0x7ffeacb5c3b0 sp 0x7ffeacb5c3a8
READ of size 8 at 0x60c00000bf5c thread T0
    #0 0x614b62 in crc32c_intel /home/lukas/dev/btrfsfuzz/src-asan/crc32c.c:75:19
    #1 0x614c09 in crc32c_le /home/lukas/dev/btrfsfuzz/src-asan/crc32c.c:221:9
    #2 0x58de58 in __csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:139:8
    #3 0x58dd88 in csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:159:9
    #4 0x58dfa1 in csum_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:174:9
    #5 0x58eb64 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:348:19
    #6 0x5f2f84 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
    #7 0x5f2d62 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7
    #8 0x5f2bab in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
    #9 0x5eff59 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
    #10 0x5eefa9 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
    #11 0x51f08f in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11637:9
    #12 0x4f0f81 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
    #13 0x7fbf35742730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #14 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4213f8)
Comment 1 Lukas Lueg 2016-09-18 09:24:16 UTC 
Created attachment 238591 [details]
ASAN-log
Comment 2 David Sterba 2016-09-30 14:12:30 UTC 
There's lack of checks in read_tree_block_fs_info for blocksize.
Comment 3 David Sterba 2016-09-30 14:24:12 UTC 
Fixed in devel, closing.