Bug 215299

Summary: UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:btrfs_get_16() when mount a corrupted image
Product: File System Reporter: Wenqing Liu (wenqingliu0120)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba, l, wenqingliu0120
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.16-rc4 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc and .config

Description Wenqing Liu 2021-12-11 04:12:24 UTC
Created attachment 299989 [details]
poc and .config

- Overview 
An array-index-out-of-bounds at fs/btrfs/struct-funcs.c:btrfs_get_16() reported by UBSAN when mounting a corrupted image

- Reproduce 
tested on kernel 5.16-rc4
$ sudo mount tmp1.img mnt


- Kernel dump
[  350.411942] loop0: detected capacity change from 0 to 262144
[  350.427058] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/loop0 scanned by systemd-udevd (1044)
[  350.428564] BTRFS info (device loop0): disk space caching is enabled
[  350.428568] BTRFS info (device loop0): has skinny extents
[  350.429589] ================================================================================
[  350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1
[  350.429636] index 1048096 is out of range for type 'page *[16]'
[  350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
[  350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
[  350.429772] Call Trace:
[  350.429774]  <TASK>
[  350.429776]  dump_stack_lvl+0x47/0x5c
[  350.429780]  ubsan_epilogue+0x5/0x50
[  350.429786]  __ubsan_handle_out_of_bounds+0x66/0x70
[  350.429791]  btrfs_get_16+0xfd/0x120 [btrfs]
[  350.429832]  check_leaf+0x754/0x1a40 [btrfs]
[  350.429874]  ? filemap_read+0x34a/0x390
[  350.429878]  ? load_balance+0x175/0xfc0
[  350.429881]  validate_extent_buffer+0x244/0x310 [btrfs]
[  350.429911]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
[  350.429935]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
[  350.429969]  ? newidle_balance+0x259/0x480
[  350.429972]  end_workqueue_fn+0x29/0x40 [btrfs]
[  350.429995]  btrfs_work_helper+0x71/0x330 [btrfs]
[  350.430030]  ? __schedule+0x2fb/0xa40
[  350.430033]  process_one_work+0x1f6/0x400
[  350.430035]  ? process_one_work+0x400/0x400
[  350.430036]  worker_thread+0x2d/0x3d0
[  350.430037]  ? process_one_work+0x400/0x400
[  350.430038]  kthread+0x165/0x190
[  350.430041]  ? set_kthread_struct+0x40/0x40
[  350.430043]  ret_from_fork+0x1f/0x30
[  350.430047]  </TASK>
[  350.430047] ================================================================================
[  350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2
[  350.430092] general protection fault, probably for non-canonical address 0x8570240000f7a: 0000 [#1] PREEMPT SMP NOPTI
[  350.430114] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
[  350.430129] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  350.430146] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
[  350.430192] RIP: 0010:btrfs_get_16+0x83/0x120 [btrfs]
[  350.430231] Code: 8b 46 70 48 2b 05 2d 34 e6 d8 48 c1 f8 06 48 c1 e0 0c 48 03 05 2e 34 e6 d8 48 89 c3 e8 16 fb ff ff 49 81 fc ff 0f 00 00 74 24 <42> 0f b7 04 23 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 75 4d 48
[  350.430267] RSP: 0018:ffffa02bc0053bf8 EFLAGS: 00010297
[  350.430279] RAX: 0000000000000000 RBX: 0008570240000000 RCX: 0000000000000001
[  350.430294] RDX: 0000000000000000 RSI: ffffffff9932e181 RDI: 00000000ffffffff
[  350.430309] RBP: 00000000000ffe20 R08: 0000000000000000 R09: 0000000000000001
[  350.430323] R10: 0000000000000017 R11: 0000000000000034 R12: 0000000000000f7a
[  350.430353] R13: ffff93235139fa00 R14: ffff932351b9eb00 R15: 00000000ffe20f4e
[  350.430367] FS:  0000000000000000(0000) GS:ffff932535c00000(0000) knlGS:0000000000000000
[  350.430383] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  350.430395] CR2: 00007f5660a73d20 CR3: 000000010089a006 CR4: 0000000000370ef0
[  350.430411] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  350.430426] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  350.430440] Call Trace:
[  350.430445]  <TASK>
[  350.430451]  check_leaf+0x754/0x1a40 [btrfs]
[  350.430497]  ? filemap_read+0x34a/0x390
[  350.430507]  ? load_balance+0x175/0xfc0
[  350.430517]  validate_extent_buffer+0x244/0x310 [btrfs]
[  350.430552]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
[  350.430585]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
[  350.430625]  ? newidle_balance+0x259/0x480
[  350.430636]  end_workqueue_fn+0x29/0x40 [btrfs]
[  350.430667]  btrfs_work_helper+0x71/0x330 [btrfs]
[  350.430708]  ? __schedule+0x2fb/0xa40
[  350.430718]  process_one_work+0x1f6/0x400
[  350.430727]  ? process_one_work+0x400/0x400
[  350.430736]  worker_thread+0x2d/0x3d0
[  350.430745]  ? process_one_work+0x400/0x400
[  350.430754]  kthread+0x165/0x190
[  350.430763]  ? set_kthread_struct+0x40/0x40
[  350.430773]  ret_from_fork+0x1f/0x30
[  350.430782]  </TASK>
[  350.430787] Modules linked in: joydev input_leds serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic usbhid hid aesni_intel crypto_simd psmouse cryptd
[  350.431775] ---[ end trace e9e1c34113eb7f2f ]---
[  350.432216] RIP: 0010:btrfs_get_16+0x83/0x120 [btrfs]
[  350.432696] Code: 8b 46 70 48 2b 05 2d 34 e6 d8 48 c1 f8 06 48 c1 e0 0c 48 03 05 2e 34 e6 d8 48 89 c3 e8 16 fb ff ff 49 81 fc ff 0f 00 00 74 24 <42> 0f b7 04 23 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 75 4d 48
[  350.433583] RSP: 0018:ffffa02bc0053bf8 EFLAGS: 00010297
[  350.434064] RAX: 0000000000000000 RBX: 0008570240000000 RCX: 0000000000000001
[  350.434520] RDX: 0000000000000000 RSI: ffffffff9932e181 RDI: 00000000ffffffff
[  350.434967] RBP: 00000000000ffe20 R08: 0000000000000000 R09: 0000000000000001
[  350.435417] R10: 0000000000000017 R11: 0000000000000034 R12: 0000000000000f7a
[  350.435849] R13: ffff93235139fa00 R14: ffff932351b9eb00 R15: 00000000ffe20f4e
[  350.436280] FS:  0000000000000000(0000) GS:ffff932535c00000(0000) knlGS:0000000000000000
[  350.436709] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  350.437123] CR2: 00007f5660a73d20 CR3: 000000010089a006 CR4: 0000000000370ef0
[  350.437545] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  350.437946] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Comment 1 David Sterba 2022-01-24 15:44:56 UTC
Thanks for the report. Fixed by https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/#t .
Comment 2 Wenqing Liu 2022-02-18 06:47:40 UTC
(In reply to David Sterba from comment #1)
> Thanks for the report. Fixed by
> https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/
> #t .

Hi David,
 
Thank you for your reply.
I have noticed that the fix is not for earlier versions and when I test it for earlier versions I got some general protection fault. Wondering if I can request a CVE for the bug with the current fix in this case?

Thanks,
Wenqing
Comment 3 Su Yue 2022-02-18 15:28:23 UTC
(In reply to Wenqing Liu from comment #2)
> (In reply to David Sterba from comment #1)
> > Thanks for the report. Fixed by
> >
> https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/
> > #t .
> 
> Hi David,
>  
> Thank you for your reply.
> I have noticed that the fix is not for earlier versions and when I test it
> for earlier versions I got some general protection fault. Wondering if I can
> request a CVE for the bug with the current fix in this case?
> 
> Thanks,
> Wenqing

This is my fault. The bug is still unfixed. The link posted above is to fix the 
another bug also reported by you: https://bugzilla.kernel.org/show_bug.cgi?id=215289.