Bug 210181
Summary: | KASAN: stack-out-of-bounds in check_root_item() | ||
---|---|---|---|
Product: | File System | Reporter: | Daniel Xu (dxu) |
Component: | btrfs | Assignee: | BTRFS virtual assignee (fs_btrfs) |
Status: | NEW --- | ||
Severity: | normal | ||
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 5.10-rc3 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: | fuzzed image |
Created attachment 293655 [details] fuzzed image Found a KASAN crash while fuzzing images: [ 7.323015] BTRFS critical (device loop0): corrupt leaf: root=1 block=30556160 slot=3, invalid root item size, have 473 expect 439 or 239 [ 7.330454] ================================================================== [ 7.332382] BUG: KASAN: stack-out-of-bounds in read_extent_buffer+0x163/0x260 [ 7.334804] Write of size 473 at addr ffff88800953f5b8 by task kworker/u2:1/84 [ 7.337118] [ 7.339136] [ 7.339473] The buggy address belongs to the page: [ 7.340464] [ 7.340764] addr ffff88800953f5b8 is located in stack of task kworker/u2:1/84 at offset 32 in frame: [ 7.343086] check_root_item+0x0/0x480 [ 7.343842] [ 7.344178] this frame has 1 object: [ 7.344909] [32, 471) 'ri' [ 7.344916] [ 7.345794] Memory state around the buggy address: [ 7.346776] ffff88800953f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7.348300] ffff88800953f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7.349577] >ffff88800953f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 f3 f3 [ 7.350774] ^ [ 7.353095] ffff88800953f780: f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 [ 7.354173] ffff88800953f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 7.355203] ================================================================== [ 7.357470] BTRFS critical (device loop0): corrupt leaf: root=1 block=30556160 slot=4, bad key order, prev (2063597573 132 8192) current (6 1 0) [ 7.359746] BTRFS error (device loop0): block=30556160 read time tree block corruption detected [ 7.361979] BTRFS error (device loop0): bad tree block start, want 30523392 have 476771903232 [ 7.364429] BTRFS critical (device loop0): corrupt leaf: root=18446744073709551607 block=30490624 slot=0 ino=256, unknown mode bit detected: 0x140000 [ 7.366908] BTRFS error (device loop0): block=30490624 read time tree block corruption detected [ 7.368885] BTRFS error (device loop0): dev extent physical offset 13631488 on devid 1 doesn't have corresponding chunk [ 7.370457] BTRFS error (device loop0): failed to verify dev extents against chunks: -117 [ 7.373526] BTRFS error (device loop0): open_ctree failed Attached is a zstd compressed fuzzed image