Bug 153641 - heap-use-after-free in btrfsck v4.7-42-g56e9586
Summary: heap-use-after-free in btrfsck v4.7-42-g56e9586
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Josef Bacik
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-23 19:54 UTC by Lukas Lueg
Modified: 2016-08-30 14:50 UTC (History)
3 users (show)

See Also:
Kernel Version: 4.6.6-300.fc24.x86_64
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Image triggering btrfsck into asan error (17.80 KB, application/gzip)
2016-08-23 19:54 UTC, Lukas Lueg 		Details
full asan error log (5.50 KB, text/x-log)
2016-08-23 19:55 UTC, Lukas Lueg 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Lueg 2016-08-23 19:54:45 UTC 
Created attachment 229941 [details]
Image triggering btrfsck into asan error

The filesystem-image attached to this bug drives btrfsck from btrfs-progs v4.7-42-g56e9586 into a heap-use-after-free. The src was from kdave's mirror, devel branch. CFLAGS='-DNDEBUG -O1 -g -fsanitize=address -fno-omit-frame-pointer -fno-optimize-sibling-calls'


The juicy parts:
==32639==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000019170 at pc 0x0000005c046e bp 0x7fff631e48d0 sp 0x7fff631e48c8
READ of size 4 at 0x621000019170 thread T0
    #0 0x5c046d in free_extent_buffer /home/lukas/dev/btrfsprogs_fuzz/src/extent_io.c:579:10
    #1 0x59356c in btrfs_release_all_roots /home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1084:3
    #2 0x5949a7 in __open_ctree_fd /home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1325:2
    #3 0x594325 in open_ctree_fs_info /home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1363:9
    #4 0x51e717 in cmd_check /home/lukas/dev/btrfsprogs_fuzz/src/cmds-check.c:11320:9
    #5 0x4f0f81 in main /home/lukas/dev/btrfsprogs_fuzz/src/btrfs.c:243:8
    #6 0x7f5ce75ee730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #7 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin/bin/btrfs+0x4213f8)


Note that the bug happens within core itself. The kernel may be vulnerable as well, I didn't check, though.
Comment 1 Lukas Lueg 2016-08-23 19:55:40 UTC 
Created attachment 229951 [details]
full asan error log
Comment 2 John Brooks 2016-08-26 19:03:56 UTC 
I can reproduce this on the v4.7-rc1 tag (696ee3c4cc7a02aa5fd2d6e28fee6f187843198e)
Comment 3 Qu Wenruo 2016-08-30 03:39:28 UTC 
Btrfsck fixed:
https://patchwork.kernel.org/patch/9304777/
Comment 4 Qu Wenruo 2016-08-30 03:53:07 UTC 
Cause is there is a corrupted tree block ptr, whose bytenr is not aligned to sectorsize(4K) nor nodesize.

And the corrupted bytenr is contained by a valid tree block(chunk tree root)

In that case, when btrfs is trying to read out the tree block pointed by the corrupted bytenr,
it will find chunk tree root block, while its bytenr/size doesn't fit the desired bytenr.
It got freed, and then allocated a new extent buffer to replace it.

So it caused the use-after-free.

Although I should fix above "freeing exist eb and allocate new one" behavior, it's needed for corrupted-block tool.
So I choose to do extra tree block bytenr check here.

Thanks,
Qu
Comment 5 David Sterba 2016-08-30 14:50:41 UTC 
Fixes and image are in git, will be part of the next release. Closing, thanks.
Note You need to log in before you can comment on or make changes to this bug.