Bug 199275 - Invalid pointer dereference in ext4_get_group_info() when mounting a crafted ext4 image
Summary: Invalid pointer dereference in ext4_get_group_info() when mounting a crafted ...
Status: RESOLVED UNREPRODUCIBLE
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-03 16:43 UTC by Wen Xu
Modified: 2018-04-13 21:32 UTC (History)
1 user (show)

See Also:
Kernel Version: 4.x
Subsystem:
Regression: No
Bisected commit-id:


Attachments
The crafted image which causes kernel panic (2.00 MB, application/octet-stream)
2018-04-03 16:43 UTC, Wen Xu
Details

Description Wen Xu 2018-04-03 16:43:43 UTC
Created attachment 275091 [details]
The crafted image which causes kernel panic

- Overview
Invalid pointer dereference in ext4_get_group_info() when mounting a crafted ext4 image

- Reproduce (tested on 4.4/4.15)
# mkdir mnt
# mount -t ext4 88.img mnt

- Reason
https://elixir.bootlin.com/linux/v4.15/source/fs/ext4/ext4.h#L2766
Kernel misses sanitary check on EXT4_SB(sb)->s_group_info in ext4_get_group_info

- Kernel dump 
[   48.581147] EXT4-fs (loop0): barriers disabled
[   48.581223] JBD2: Clearing recovery information on journal
[   48.584375] EXT4-fs (loop0): corrupt root inode, run e2fsck
[   48.584455] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   48.584485] IP: [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[   48.584513] PGD 80000000392b0067 PUD 39281067 PMD 0
[   48.584534] Oops: 0000 [#1] SMP
[   48.584549] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon coretemp joydev input_leds serio_raw uvcvideo snd_ens1371 videobuf2_vmalloc snd_ac97_codec videobuf2_memops videobuf2_v4l2 gameport videobuf2_core snd_rawmidi v4l2_common snd_seq_device ac97_bus btusb btrtl videodev snd_pcm btbcm btintel bluetooth snd_timer media snd soundcore vmw_vmci i2c_piix4 shpchp nfit 8250_fintek parport_pc parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper
[   48.584896]  cryptd vmwgfx ttm psmouse drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptspi mptscsih ahci libahci e1000 drm mptbase scsi_transport_spi pata_acpi fjes
[   48.584974] CPU: 0 PID: 1387 Comm: mount Not tainted 4.4.0-116-generic #140-Ubuntu
[   48.584999] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[   48.585033] task: ffff880037b3aa00 ti: ffff8800393d4000 task.ti: ffff8800393d4000
[   48.585058] RIP: 0010:[<ffffffff812de12d>]  [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[   48.585089] RSP: 0018:ffff8800393d7988  EFLAGS: 00010246
[   48.585107] RAX: ffff88003786f800 RBX: 0000000000000001 RCX: 0000000000000000
[   48.585129] RDX: 0000000000000020 RSI: 0000000000000000 RDI: 0000000000000000
[   48.585152] RBP: ffff8800393d7a60 R08: ffff8800393d79ec R09: ffff8800393d79e8
[   48.585198] R10: ffff8800393d7880 R11: ffff8800395d7988 R12: 0000000000000001
[   48.585219] R13: ffff88003786f000 R14: 0000000000000001 R15: 000000000000002c
[   48.585240] FS:  00007f228f21b840(0000) GS:ffff88003c600000(0000) knlGS:0000000000000000
[   48.585264] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   48.585281] CR2: 0000000000000000 CR3: 0000000033684000 CR4: 0000000000160670
[   48.585337] Stack:
[   48.585345]  000000000000002c ffff8800395a74e0 ffff8800395a7548 ffffffff81f3c9c0
[   48.585372]  ffff8800395a72d8 ffff8800395a7340 ffff88003af29000 ffff88003786f000
[   48.585398]  0000000000000001 00000013812cc1d0 ffff88003786f800 ffff8800395d7a58
[   48.585425] Call Trace:
[   48.586053]  [<ffffffff8124bddd>] ? __find_get_block+0x10d/0x120
[   48.586737]  [<ffffffff812d0708>] ext4_ext_remove_space+0xa68/0x11f0
[   48.587402]  [<ffffffff812d2dfe>] ext4_ext_truncate+0x9e/0xd0
[   48.588029]  [<ffffffff812a5a04>] ext4_truncate+0x364/0x460
[   48.588624]  [<ffffffff812a6697>] ext4_evict_inode+0x3f7/0x4f0
[   48.589215]  [<ffffffff8122f9f1>] evict+0xc1/0x190
[   48.589780]  [<ffffffff8122fcd7>] iput+0x1c7/0x250
[   48.590504]  [<ffffffff812c69ff>] ext4_fill_super+0x1ecf/0x3020
[   48.591058]  [<ffffffff81217410>] mount_bdev+0x270/0x2c0
[   48.591601]  [<ffffffff812c4b30>] ? ext4_calculate_overhead+0x3c0/0x3c0
[   48.592091]  [<ffffffff812b5595>] ext4_mount+0x15/0x20
[   48.592581]  [<ffffffff81217e4d>] mount_fs+0x3d/0x170
[   48.593060]  [<ffffffff811b7575>] ? __alloc_percpu+0x15/0x20
[   48.593509]  [<ffffffff81234647>] vfs_kern_mount+0x67/0x110
[   48.593959]  [<ffffffff81236cff>] do_mount+0x25f/0xda0
[   48.594460]  [<ffffffff81215c33>] ? __fput+0x193/0x230
[   48.594904]  [<ffffffff811f5bd6>] ? __kmalloc_track_caller+0x1b6/0x250
[   48.595302]  [<ffffffff811b1d32>] ? memdup_user+0x42/0x70
[   48.595687]  [<ffffffff81237b7f>] SyS_mount+0x9f/0x100
[   48.596065]  [<ffffffff8184efc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
[   48.596435] Code: ff 49 8b 85 58 04 00 00 8b 75 8c 3b 70 40 0f 83 35 08 00 00 8b 88 a8 00 00 00 89 f2 48 8b b8 78 02 00 00 d3 ea 89 d1 48 8b 50 38 <48> 8b 0c cf 48 83 ea 01 21 f2 48 8b 14 d1 48 8b 12 83 e2 04 0f
[   48.597819] RIP  [<ffffffff812de12d>] ext4_free_blocks+0x1ed/0xc00
[   48.598225]  RSP <ffff8800393d7988>
[   48.598598] CR2: 0000000000000000
[   48.598996] ---[ end trace 6f4a81a91bc49fd0 ]---

- Credit
Reported by Wen Xu from SSLab, Gatech
Comment 1 Wen Xu 2018-04-10 05:48:15 UTC
Note that this is not reproducible on latest ext4 development branch.

Note You need to log in before you can comment on or make changes to this bug.