155201 – Fuzzed image causes SIGFPE in btrfsck

Bug 155201 - Fuzzed image causes SIGFPE in btrfsck

Summary: Fuzzed image causes SIGFPE in btrfsck

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Josef Bacik

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-28 19:15 UTC by Lukas Lueg
Modified:	2016-08-30 14:52 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	4.6.6-300.fc24-x86_64
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Image causing SIGFPE in btrfsck (17.60 KB, application/gzip) 2016-08-28 19:15 UTC, Lukas Lueg	Details
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Lueg 2016-08-28 19:15:53 UTC

Created attachment 230921 [details]
Image causing SIGFPE in btrfsck

News from the fuzzer. See the attached image to reproduce using btrfs-progs v4.7-42-g56e9586.


[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
checking extents
Chunk[0, 4194304] existed.
Chunk[18446744073709551607, 228, 0]: length(1), offset(0), type(4160) mismatch with block group[0, 192, 4194304]: offset(4194304), objectid(0), flags(2)

Program received signal SIGFPE, Arithmetic exception.
0x000000000042b178 in calc_stripe_length (type=4160, length=1, num_stripes=0) at cmds-check.c:8018
8018			stripe_size /= num_stripes;
#0  0x000000000042b178 in calc_stripe_length (type=4160, length=1, num_stripes=0) at cmds-check.c:8018
#1  0x000000000042b56d in check_chunk_refs (silent=0, dev_extent_cache=0x7fffffffdd30, block_group_cache=0x7fffffffdd60, chunk_rec=0x6b92c0) at cmds-check.c:8101
#2  check_chunks (chunk_cache=chunk_cache@entry=0x7fffffffdd80, block_group_cache=block_group_cache@entry=0x7fffffffdd60, dev_extent_cache=dev_extent_cache@entry=0x7fffffffdd30, good=good@entry=0x0, bad=bad@entry=0x0, rebuild=rebuild@entry=0x0, silent=0) at cmds-check.c:8165
#3  0x000000000042bbdd in check_chunks_and_extents (root=root@entry=0x6b2cf0) at cmds-check.c:8524
#4  0x000000000042e3cb in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11430
#5  0x000000000040a416 in main (argc=2, argv=0x7fffffffe218) at btrfs.c:243

Comment 1 Qu Wenruo 2016-08-30 02:06:07 UTC

Fixed by the following patchset:
https://patchwork.kernel.org/patch/9303261/
https://patchwork.kernel.org/patch/9303265/
https://patchwork.kernel.org/patch/9303259/
https://patchwork.kernel.org/patch/9303263/

The root cause is, fuzzer is corrupting key type, making fsck to interpret a ROOT_ITEM into CHUNK_ITEM.
So that current chunk checker for chunk tree doesn't find the invalid CHUNK_ITEM in root tree.

The patchset includes the root fix, to double check any CHUNK_ITEM before processing it.
And adds a new early warning layer to report invalid key type in some trees.

Would you mind me to use your attachment as a test case?

Thanks,
Qu

Comment 2 Lukas Lueg 2016-08-30 06:14:56 UTC

All images attached to bugs reported here can be included as test cases.

Comment 3 David Sterba 2016-08-30 14:52:17 UTC

Fixes and image are in git, will be part of the next release. Closing, thanks.

Note You need to log in before you can comment on or make changes to this bug.