Bug 199837

Summary: out-of-bound access in write_extent_buffer() when mounting and operating a crafted btrfs image
Product: File System Reporter: Wen Xu (wen.xu)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba, wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.17 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash
poc.c

Description Wen Xu 2018-05-26 03:55:57 UTC 
Created attachment 276193 [details]
The (compressed) crafted image which causes crash

- Overview
out-of-bound access in write_extent_buffer() when mounting and operating a crafted btrfs image

- Reproduce
# mkdir mnt
# mount -t btrfs 30.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Kernel message (4.17-rc5)
[  935.853056] BTRFS: device fsid 12b338de-a2e9-40fa-a4b0-90e53b7c5773 devid 1 transid 8 /dev/loop0
[  935.856142] BTRFS info (device loop0): disk space caching is enabled
[  935.856145] BTRFS info (device loop0): has skinny extents
[  935.858524] BTRFS error (device loop0): bad tree block start 9982943851654580874 29417472
[  935.861336] BTRFS info (device loop0): read error corrected: ino 0 off 29417472 (dev /dev/loop0 sector 73840)
[  935.861468] BTRFS error (device loop0): bad tree block start 0 29396992
[  935.863654] BTRFS info (device loop0): read error corrected: ino 0 off 29396992 (dev /dev/loop0 sector 73800)
[  935.863707] BTRFS error (device loop0): bad fsid on block 29376512
[  935.865752] BTRFS info (device loop0): read error corrected: ino 0 off 29376512 (dev /dev/loop0 sector 73760)
[  935.866140] BTRFS error (device loop0): bad tree block start 7305964525566558208 29380608
[  935.868132] BTRFS info (device loop0): read error corrected: ino 0 off 29380608 (dev /dev/loop0 sector 73768)
[  935.868211] BTRFS error (device loop0): bad tree block start 0 29409280
[  935.870014] BTRFS info (device loop0): read error corrected: ino 0 off 29409280 (dev /dev/loop0 sector 73824)
[  935.870027] BTRFS info (device loop0): checking UUID tree
[  942.062070] ------------[ cut here ]------------
[  942.062073] btrfs bad mapping eb start 29425664 len 4096, wanted 4108 8
[  942.063505] WARNING: CPU: 0 PID: 1330 at fs/btrfs/extent_io.c:5438 map_private_extent_buffer+0xc3/0xd0
[  942.063507] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul crc32_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp floppy pata_acpi mii
[  942.063729] CPU: 0 PID: 1330 Comm: poc Not tainted 4.17.0-rc5+ #5
[  942.063730] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  942.063733] RIP: 0010:map_private_extent_buffer+0xc3/0xd0
[  942.063734] RSP: 0018:ffffac0b013679a0 EFLAGS: 00010286
[  942.063736] RAX: 0000000000000000 RBX: 0000000001c10000 RCX: 0000000000000006
[  942.063738] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff905a3fc165d0
[  942.063739] RBP: ffffac0b013679b8 R08: 000000000000f279 R09: 000000000000025a
[  942.063740] R10: 0000000000000001 R11: ffffffff969c8f8d R12: 0000000000000001
[  942.063742] R13: 0000000000001014 R14: ffff905a32de59d8 R15: 000000000000100c
[  942.063744] FS:  00007f68a9f84700(0000) GS:ffff905a3fc00000(0000) knlGS:0000000000000000
[  942.063746] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  942.063747] CR2: 00000000014e6158 CR3: 0000000232cee000 CR4: 00000000000006f0
[  942.063753] Call Trace:
[  942.063763]  btrfs_set_token_64+0x116/0x140
[  942.063767]  btrfs_update_device+0x108/0x1c0
[  942.063770]  btrfs_finish_chunk_alloc+0x114/0x4b0
[  942.063775]  ? btrfs_insert_item+0x80/0xf0
[  942.063780]  btrfs_create_pending_block_groups+0x13f/0x270
[  942.063784]  __btrfs_end_transaction+0x91/0x2d0
[  942.063786]  btrfs_end_transaction+0x10/0x20
[  942.063789]  btrfs_alloc_data_chunk_ondemand+0x104/0x310
[  942.063792]  btrfs_check_data_free_space+0x51/0xa0
[  942.063794]  __btrfs_buffered_write+0x1b2/0x7a0
[  942.063798]  btrfs_file_write_iter+0x202/0x554
[  942.063804]  __vfs_write+0xfc/0x170
[  942.063807]  vfs_write+0xb8/0x1b0
[  942.063809]  ksys_write+0x55/0xc0
[  942.063812]  __x64_sys_write+0x1a/0x20
[  942.063818]  do_syscall_64+0x5a/0x110
[  942.063822]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  942.063825] RIP: 0033:0x7f68a9a962c0
[  942.063826] RSP: 002b:00007ffe783490f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  942.063828] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f68a9a962c0
[  942.063829] RDX: 0000000000000205 RSI: 0000000000602140 RDI: 0000000000000003
[  942.063831] RBP: 00007ffe78349260 R08: 0000000000000003 R09: 0000000000000000
[  942.063832] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400c20
[  942.063833] R13: 00007ffe78349360 R14: 0000000000000000 R15: 0000000000000000
[  942.063835] Code: 5d c3 ba 00 10 00 00 49 c7 00 00 00 00 00 4c 29 da eb bf 49 89 d0 48 89 f1 48 89 c2 48 89 de 48 c7 c7 c8 3b 32 96 e8 dd b2 bd ff <0f> 0b b8 ea ff ff ff e9 7a ff ff ff 90 66 66 66 66 90 55 48 89
[  942.063869] ---[ end trace 1fae0a3f247cddff ]---
[  942.063882] WARNING: CPU: 0 PID: 1330 at fs/btrfs/extent_io.c:5527 write_extent_buffer+0x130/0x140
[  942.063883] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul crc32_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp floppy pata_acpi mii
[  942.063912] CPU: 0 PID: 1330 Comm: poc Tainted: G        W         4.17.0-rc5+ #5
[  942.063913] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  942.063914] RIP: 0010:write_extent_buffer+0x130/0x140
[  942.063916] RSP: 0018:ffffac0b013679b8 EFLAGS: 00010206
[  942.063917] RAX: 0000000000001000 RBX: 0000000000000000 RCX: 000000000000100c
[  942.063919] RDX: 000000000000100c RSI: 0000000001c10000 RDI: ffff905a32de59d8
[  942.063920] RBP: ffffac0b013679b8 R08: 0000000000000008 R09: ffffac0b013679e8
[  942.063921] R10: 0000000000000001 R11: ffffffff969c8f8d R12: 0000000000000024
[  942.063923] R13: 0000000000000fe8 R14: ffff905a32de59d8 R15: 000000000000100c
[  942.063925] FS:  00007f68a9f84700(0000) GS:ffff905a3fc00000(0000) knlGS:0000000000000000
[  942.063926] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  942.063927] CR2: 00000000014e6158 CR3: 0000000232cee000 CR4: 00000000000006f0
[  942.063931] Call Trace:
[  942.063933]  btrfs_set_token_64+0xf7/0x140
[  942.063936]  btrfs_update_device+0x108/0x1c0
[  942.063938]  btrfs_finish_chunk_alloc+0x114/0x4b0
[  942.063941]  ? btrfs_insert_item+0x80/0xf0
[  942.063944]  btrfs_create_pending_block_groups+0x13f/0x270
[  942.063947]  __btrfs_end_transaction+0x91/0x2d0
[  942.063949]  btrfs_end_transaction+0x10/0x20
[  942.063951]  btrfs_alloc_data_chunk_ondemand+0x104/0x310
[  942.063954]  btrfs_check_data_free_space+0x51/0xa0
[  942.063956]  __btrfs_buffered_write+0x1b2/0x7a0
[  942.063959]  btrfs_file_write_iter+0x202/0x554
[  942.063962]  __vfs_write+0xfc/0x170
[  942.063964]  vfs_write+0xb8/0x1b0
[  942.063967]  ksys_write+0x55/0xc0
[  942.063969]  __x64_sys_write+0x1a/0x20
[  942.063971]  do_syscall_64+0x5a/0x110
[  942.063973]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  942.063975] RIP: 0033:0x7f68a9a962c0
[  942.063976] RSP: 002b:00007ffe783490f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  942.063978] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f68a9a962c0
[  942.063979] RDX: 0000000000000205 RSI: 0000000000602140 RDI: 0000000000000003
[  942.063980] RBP: 00007ffe78349260 R08: 0000000000000003 R09: 0000000000000000
[  942.063981] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400c20
[  942.063982] R13: 00007ffe78349360 R14: 0000000000000000 R15: 0000000000000000
[  942.063984] Code: 41 8b 01 89 01 89 d0 41 8b 74 01 fc 89 74 01 fc eb 87 89 d0 41 0f b7 74 01 fe 66 89 74 01 fe e9 75 ff ff ff 0f 0b e9 11 ff ff ff <0f> 0b e9 fb fe ff ff 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90
[  942.064023] ---[ end trace 1fae0a3f247cde00 ]---
[  942.064249] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[  942.066223] PGD 8000000232e38067 P4D 8000000232e38067 PUD 232e39067 PMD 0
[  942.068049] Oops: 0000 [#1] SMP PTI
[  942.069008] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul crc32_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp floppy pata_acpi mii
[  942.079621] CPU: 0 PID: 1330 Comm: poc Tainted: G        W         4.17.0-rc5+ #5
[  942.081364] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  942.083228] RIP: 0010:write_extent_buffer+0xaf/0x140
[  942.084432] RSP: 0018:ffffac0b013679b8 EFLAGS: 00010202
[  942.085459] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000c
[  942.090585] RDX: 0000000000001014 RSI: 0000000001c10000 RDI: ffff905a32de59d8
[  942.091988] RBP: ffffac0b013679b8 R08: 0000000000000008 R09: ffffac0b013679e8
[  942.093385] R10: ffff905a32de5a78 R11: 0000000000001000 R12: 0000000000000024
[  942.094811] R13: 0000000000000fe8 R14: ffff905a32de59d8 R15: 000000000000100c
[  942.096213] FS:  00007f68a9f84700(0000) GS:ffff905a3fc00000(0000) knlGS:0000000000000000
[  942.097804] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  942.098951] CR2: 0000000000000020 CR3: 0000000232cee000 CR4: 00000000000006f0
[  942.100351] Call Trace:
[  942.100852]  btrfs_set_token_64+0xf7/0x140
[  942.101672]  btrfs_update_device+0x108/0x1c0
[  942.102532]  btrfs_finish_chunk_alloc+0x114/0x4b0
[  942.103467]  ? btrfs_insert_item+0x80/0xf0
[  942.104286]  btrfs_create_pending_block_groups+0x13f/0x270
[  942.105370]  __btrfs_end_transaction+0x91/0x2d0
[  942.106288]  btrfs_end_transaction+0x10/0x20
[  942.107145]  btrfs_alloc_data_chunk_ondemand+0x104/0x310
[  942.108197]  btrfs_check_data_free_space+0x51/0xa0
[  942.109151]  __btrfs_buffered_write+0x1b2/0x7a0
[  942.110052]  btrfs_file_write_iter+0x202/0x554
[  942.110952]  __vfs_write+0xfc/0x170
[  942.111657]  vfs_write+0xb8/0x1b0
[  942.112327]  ksys_write+0x55/0xc0
[  942.112997]  __x64_sys_write+0x1a/0x20
[  942.113750]  do_syscall_64+0x5a/0x110
[  942.114494]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  942.115498] RIP: 0033:0x7f68a9a962c0
[  942.116211] RSP: 002b:00007ffe783490f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  942.117893] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f68a9a962c0
[  942.119323] RDX: 0000000000000205 RSI: 0000000000602140 RDI: 0000000000000003
[  942.120715] RBP: 00007ffe78349260 R08: 0000000000000003 R09: 0000000000000000
[  942.122106] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400c20
[  942.123508] R13: 00007ffe78349360 R14: 0000000000000000 R15: 0000000000000000
[  942.124899] Code: c1 83 fa 08 73 40 f6 c2 04 75 76 85 d2 74 0b 41 0f b6 01 f6 c2 02 88 01 75 79 49 01 d1 49 83 c2 08 31 c9 49 29 d0 74 57 49 8b 02 <48> 8b 70 20 48 8d 56 ff 83 e6 01 48 0f 44 d0 48 8b 12 83 e2 08
[  942.128618] RIP: write_extent_buffer+0xaf/0x140 RSP: ffffac0b013679b8
[  942.129878] CR2: 0000000000000020
[  942.130614] ---[ end trace 1fae0a3f247cde01 ]---

- Reason
https://elixir.bootlin.com/linux/v4.17-rc5/source/fs/btrfs/extent_io.c#L5534
void write_extent_buffer(struct extent_buffer *eb, const void *srcv,
			 unsigned long start, unsigned long len)
{
	size_t cur;
	size_t offset;
	struct page *page;
	char *kaddr;
	char *src = (char *)srcv;
	size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
	unsigned long i = (start_offset + start) >> PAGE_SHIFT;

	WARN_ON(start > eb->len);
	WARN_ON(start + len > eb->start + eb->len);

	offset = (start_offset + start) & (PAGE_SIZE - 1);

	while (len > 0) {
		page = eb->pages[i];
		WARN_ON(!PageUptodate(page));

		cur = min(len, PAGE_SIZE - offset);
		kaddr = page_address(page);
		memcpy(kaddr + offset, src, cur);

		src += cur;
		len -= cur;
		offset = 0;
		i++;
	}
}

For this testcase (30.img), in fact, eb->pages only has 1 element, however, i becomes out of bounds (-> 0x1) and eb->pages[1] is assigned to page, which is NULL that leads to the final invalid memory access.

- Credit
Reported by Wen Xu (wen.xu@gatech.edu) and Po-Ning Tseng from SSLab, Gatech.
Comment 1 Wen Xu 2018-05-26 03:56:27 UTC 
Created attachment 276195 [details]
poc.c
Comment 3 David Sterba 2019-05-21 12:30:57 UTC 
Fixed in 4.19.