Bug 12371 - oops in ext4_get_group_desc
Summary: oops in ext4_get_group_desc
Status: CLOSED PATCH_ALREADY_AVAILABLE
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-06 03:24 UTC by David Maciejak
Modified: 2009-01-15 18:08 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.28
Subsystem:
Regression: ---
Bisected commit-id:


Attachments
kern.org extract (4.21 KB, text/x-log)
2009-01-06 03:25 UTC, David Maciejak
Details

Description David Maciejak 2009-01-06 03:24:31 UTC
Latest working kernel version: none
Earliest failing kernel version: unknow
Distribution: ubuntu
Hardware Environment: dell optiplex 740
Software Environment:
Problem Description:
kernel oops and mount fives me a seg fault when I tried to mount a specially crafted ext4 image (enclosed)
Steps to reproduce:
*gunzip the image file provided
*mount it with the command below 
mount -t ext4  -o loop ext4.72.img /media/tmp

I got this in the kern.log:

Jan  6 12:19:40 koma-lab kernel: [  715.256099] BUG: unable to handle kernel NULL pointer dereference at 00000010
Jan  6 12:19:40 koma-lab kernel: [  715.256112] IP: [<c023e8b5>] ext4_get_group_desc+0x45/0xd0
Jan  6 12:19:40 koma-lab kernel: [  715.256128] *pde = 00000000 
Jan  6 12:19:40 koma-lab kernel: [  715.256136] Oops: 0000 [#2] SMP 
Jan  6 12:19:40 koma-lab kernel: [  715.256142] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed
Jan  6 12:19:40 koma-lab kernel: [  715.256150] Modules linked in: loop af_packet isofs udf crc_itu_t binfmt_misc ipv6 powernow_k8 cpufreq_userspace cpufreq_stats cpufreq_ondemand freq_table cpufreq_powersave cpufreq_conservative wmi video output container sbs sbshc ac pci_slot battery hid_dell hid_pl hid_cypress hid_gyration hid_bright hid_sony hid_samsung hid_microsoft hid_monterey hid_ezkey hid_apple hid_a4tech hid_logitech usbhid hid_cherry hid_sunplus hid_petalynx hid_belkin hid_chicony hid fuse sg sr_mod cdrom ohci_hcd ehci_hcd tg3 serio_raw k8temp libphy i2c_nforce2 usbcore i2c_core shpchp pci_hotplug button dcdbas sd_mod crc_t10dif ata_generic sata_nv pata_acpi libata evdev thermal processor fan fbcon tileblit font bitblit softcursor
Jan  6 12:19:40 koma-lab kernel: [  715.256242] 
Jan  6 12:19:40 koma-lab kernel: [  715.256248] Pid: 4382, comm: mount Tainted: G      D    (2.6.28 #1) OptiPlex 740
Jan  6 12:19:40 koma-lab kernel: [  715.256254] EIP: 0060:[<c023e8b5>] EFLAGS: 00210256 CPU: 0
Jan  6 12:19:40 koma-lab kernel: [  715.256260] EIP is at ext4_get_group_desc+0x45/0xd0
Jan  6 12:19:40 koma-lab kernel: [  715.256265] EAX: 00000010 EBX: ec658000 ECX: 00000006 EDX: 00000040
Jan  6 12:19:40 koma-lab kernel: [  715.256270] ESI: 00000000 EDI: 00000000 EBP: ec619d70 ESP: ec619d40
Jan  6 12:19:40 koma-lab kernel: [  715.256275]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Jan  6 12:19:40 koma-lab kernel: [  715.256280] Process mount (pid: 4382, ti=ec618000 task=ec64cb60 task.ti=ec618000)
Jan  6 12:19:40 koma-lab kernel: [  715.256284] Stack:
Jan  6 12:19:40 koma-lab kernel: [  715.256287]  00000001 ec430200 0000011b ec430f80 c0552de0 00000040 00000000 f4fcf400
Jan  6 12:19:40 koma-lab kernel: [  715.256298]  00000000 ec658000 00000000 ec658000 ec619e9c c02505c6 c0496a40 ec658064
Jan  6 12:19:40 koma-lab kernel: [  715.256311]  00000000 00000000 ec619dd0 00040403 00000000 ffffffff 000007ff ec45a005
Jan  6 12:19:40 koma-lab kernel: [  715.256323] Call Trace:
Jan  6 12:19:40 koma-lab kernel: [  715.256328]  [<c02505c6>] ? ext4_fill_super+0xf66/0x2400
Jan  6 12:19:40 koma-lab kernel: [  715.256340]  [<c03490c0>] ? exact_match+0x0/0x10
Jan  6 12:19:40 koma-lab kernel: [  715.256350]  [<c047db1b>] ? mutex_lock+0xb/0x20
Jan  6 12:19:40 koma-lab kernel: [  715.256358]  [<c035765d>] ? snprintf+0x1d/0x20
Jan  6 12:19:40 koma-lab kernel: [  715.256365]  [<c01ef549>] ? disk_name+0x39/0xc0
Jan  6 12:19:40 koma-lab kernel: [  715.256372]  [<c01aef02>] ? get_sb_bdev+0x112/0x140
Jan  6 12:19:40 koma-lab kernel: [  715.256382]  [<c018d145>] ? kstrdup+0x35/0x60
Jan  6 12:19:40 koma-lab kernel: [  715.256389]  [<c024c771>] ? ext4_get_sb+0x21/0x30
Jan  6 12:19:40 koma-lab kernel: [  715.256396]  [<c024f660>] ? ext4_fill_super+0x0/0x2400
Jan  6 12:19:40 koma-lab kernel: [  715.256403]  [<c01ae3c8>] ? vfs_kern_mount+0x58/0x120
Jan  6 12:19:40 koma-lab kernel: [  715.256411]  [<c01ae4e9>] ? do_kern_mount+0x39/0xd0
Jan  6 12:19:40 koma-lab kernel: [  715.256418]  [<c01c291e>] ? do_mount+0x55e/0x6e0
Jan  6 12:19:40 koma-lab kernel: [  715.256427]  [<c0186015>] ? __get_free_pages+0x25/0x30
Jan  6 12:19:40 koma-lab kernel: [  715.256436]  [<c01c0485>] ? copy_mount_options+0x35/0x140
Jan  6 12:19:40 koma-lab kernel: [  715.256443]  [<c01c2b0f>] ? sys_mount+0x6f/0xb0
Jan  6 12:19:40 koma-lab kernel: [  715.256449]  [<c0103e0b>] ? sysenter_do_call+0x12/0x2f
Jan  6 12:19:40 koma-lab kernel: [  715.256457] Code: 01 00 00 8b 47 1c 39 d0 76 4e 0f ae e8 66 90 8b 55 ec 89 f0 8b 9a a0 01 00 00 8b 4b 58 d3 e8 89 45 f0 8b 47 38 8b 7d f0 8b 53 18 <8b> 0c b8 83 ea 01 21 f2 85 c9 74 48 89 d0 0f af 03 8b 5d e8 03 
Jan  6 12:19:40 koma-lab kernel: [  715.256518] EIP: [<c023e8b5>] ext4_get_group_desc+0x45/0xd0 SS:ESP 0068:ec619d40
Jan  6 12:19:40 koma-lab kernel: [  715.256528] ---[ end trace b76702c8f157530e ]---
Comment 1 David Maciejak 2009-01-06 03:25:30 UTC
Created attachment 19674 [details]
kern.org extract
Comment 2 David Maciejak 2009-01-06 03:29:12 UTC
PoC file too big to be uploaded, can be find here:
http://rapidshare.com/files/180329757/ext4.72.img.gz.html

Regards,

David Maciejak
Fortinet's FortiGuard Global Security Research Team
Comment 3 Theodore Tso 2009-01-06 11:05:15 UTC
Thanks for reporting this.  A patch is already in the ext4 patch queue which prevents this problem, and it will be pushed to Linus shortly:

ext4: Add sanity checks for the superblock before mounting the filesystem

With this patch applied, the mount will be refused and the kernel messages will show:

EXT4-fs: groups count too large: 0 (block count 56857945295556608, first data block 55808, blocks per group 16384)
Comment 4 David Maciejak 2009-01-07 02:35:10 UTC
thanks for the info, the patch also works for me
Comment 5 Theodore Tso 2009-01-15 18:08:16 UTC
Closed, merged into mainine.

Note You need to log in before you can comment on or make changes to this bug.