Bug 202769

Summary: out-of-bound access in __btrfs_cow_block while mounting and operating a crafted btrfs image
Product: File System Reporter: Jungyeon (jungyeon)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0-rc8 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash
22.c
Minimized test code

Description Jungyeon 2019-03-04 21:19:55 UTC 
Created attachment 281507 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this NULL pointer dereference while running attached program.

- Produces
mkdir test
mount -t btrfs 22.img test
gcc 22.c
cp a.out test
cd test
./a.out
(and just wait a few second to get errors)

- Kernel messages
[   81.231074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[   81.233956] #PF error: [normal kernel read fault]
[   81.235685] PGD 80000002355cd067 P4D 80000002355cd067 PUD 2355cc067 PMD 0 
[   81.237940] Oops: 0000 [#1] SMP PTI
[   81.238835] CPU: 0 PID: 1134 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9
[   81.240607] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   81.242862] RIP: 0010:__btrfs_cow_block+0x21f/0x580
[   81.244095] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48
[   81.248776] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202
[   81.250117] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00
[   81.251909] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000
[   81.253712] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920
[   81.255508] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118
[   81.257303] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690
[   81.259111] FS:  0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000
[   81.261141] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.265238] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0
[   81.268691] Call Trace:
[   81.269927]  btrfs_cow_block+0xf8/0x1f0
[   81.271773]  btrfs_search_slot+0x447/0x920
[   81.273752]  btrfs_del_csums+0xc3/0x3a0
[   81.275594]  __btrfs_free_extent.isra.72+0x5a7/0xbe0
[   81.277941]  __btrfs_run_delayed_refs+0x539/0x1120
[   81.280044]  btrfs_run_delayed_refs+0xdb/0x1b0
[   81.281924]  btrfs_commit_transaction+0x52/0x950
[   81.283445]  ? start_transaction+0x94/0x450
[   81.284826]  transaction_kthread+0x163/0x190
[   81.286246]  kthread+0x105/0x140
[   81.287316]  ? btrfs_cleanup_transaction+0x560/0x560
[   81.288944]  ? kthread_destroy_worker+0x50/0x50
[   81.290233]  ret_from_fork+0x35/0x40
[   81.291397] Modules linked in:
[   81.292407] CR2: 0000000000000098
[   81.293505] ---[ end trace c9ebaababb72398a ]---
[   81.295035] RIP: 0010:__btrfs_cow_block+0x21f/0x580
[   81.296631] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48
[   81.302344] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202
[   81.304052] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00
[   81.306391] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000
[   81.308527] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920
[   81.310849] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118
[   81.313156] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690
[   81.315390] FS:  0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000
[   81.317914] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.319781] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0
Comment 1 Jungyeon 2019-03-04 21:20:12 UTC 
Created attachment 281509 [details]
22.c
Comment 2 Jungyeon 2019-03-07 04:04:54 UTC 
Created attachment 281559 [details]
Minimized test code

Attaching minimized version of program with the same result. (Plz use this)
Comment 3 David Sterba 2019-05-21 12:19:07 UTC 
Thanks for the report. Fixed by 448de471cd4cab0ced "btrfs: Check the first key and level for cached extent buffer", now in 5.2-rc.