169311 – Fuzzed image causes heap-buffer-overflow in btrfsck (crc32.c:crc32c_intel)

Bug 169311 - Fuzzed image causes heap-buffer-overflow in btrfsck (crc32.c:crc32c_intel)

Summary: Fuzzed image causes heap-buffer-overflow in btrfsck (crc32.c:crc32c_intel)

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Josef Bacik

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-18 09:23 UTC by Lukas Lueg
Modified:	2016-09-30 14:24 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.6.6-300.fc24-x86_64
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Image causing heap-buffer-overflow (17.70 KB, application/x-gzip) 2016-09-18 09:23 UTC, Lukas Lueg	Details
ASAN-log (5.96 KB, text/plain) 2016-09-18 09:24 UTC, Lukas Lueg	Details
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Lueg 2016-09-18 09:23:44 UTC

Created attachment 238581 [details]
Image causing heap-buffer-overflow

More news from the fuzzer. The attached image causes a heap-buffer-overflow when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013


==32491==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf5c at pc 0x000000614b63 bp 0x7ffeacb5c3b0 sp 0x7ffeacb5c3a8
READ of size 8 at 0x60c00000bf5c thread T0
    #0 0x614b62 in crc32c_intel /home/lukas/dev/btrfsfuzz/src-asan/crc32c.c:75:19
    #1 0x614c09 in crc32c_le /home/lukas/dev/btrfsfuzz/src-asan/crc32c.c:221:9
    #2 0x58de58 in __csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:139:8
    #3 0x58dd88 in csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:159:9
    #4 0x58dfa1 in csum_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:174:9
    #5 0x58eb64 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:348:19
    #6 0x5f2f84 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
    #7 0x5f2d62 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7
    #8 0x5f2bab in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
    #9 0x5eff59 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
    #10 0x5eefa9 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
    #11 0x51f08f in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11637:9
    #12 0x4f0f81 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
    #13 0x7fbf35742730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #14 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4213f8)

Comment 1 Lukas Lueg 2016-09-18 09:24:16 UTC

Created attachment 238591 [details]
ASAN-log

Comment 2 David Sterba 2016-09-30 14:12:30 UTC

There's lack of checks in read_tree_block_fs_info for blocksize.

Comment 3 David Sterba 2016-09-30 14:24:12 UTC

Fixed in devel, closing.

Note You need to log in before you can comment on or make changes to this bug.