Created attachment 275165 [details] The crafted image which causes kernel panic - Overview Use-after-free triggered in jbd2_journal_commit_transaction() when mounting and operating a crafted ext4 image - Reproduce # mkdir mnt # mount -t ext4 205.img mnt # gcc -o poc poc.c # ./poc ./mnt Kernel crash can be observed in jbd2_journal_put_journal_head(). - Crash dump (with KASAN information) [ 546.558947] ================================================================== [ 546.559046] BUG: KASAN: use-after-free in jbd2_journal_commit_transaction+0x2dc3/0x3bd0 [ 546.559123] Read of size 8 at addr ffff8800b05189d8 by task jbd2/loop0-8/1489 [ 546.559222] CPU: 3 PID: 1489 Comm: jbd2/loop0-8 Not tainted 4.15.15 #1 [ 546.559223] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 546.559225] Call Trace: [ 546.559239] dump_stack+0xaf/0x121 [ 546.559242] ? _atomic_dec_and_lock+0xff/0xff [ 546.559250] print_address_description+0x6a/0x270 [ 546.559252] kasan_report+0x277/0x360 [ 546.559254] ? jbd2_journal_commit_transaction+0x2dc3/0x3bd0 [ 546.559256] jbd2_journal_commit_transaction+0x2dc3/0x3bd0 [ 546.559263] ? update_load_avg+0xb81/0x1130 [ 546.559267] ? journal_submit_commit_record+0x4a0/0x4a0 [ 546.559273] ? update_load_avg+0xb81/0x1130 [ 546.559278] ? cpuusage_read+0x10/0x10 [ 546.559281] ? update_curr+0x300/0x430 [ 546.559283] ? switched_from_fair+0x10/0x10 [ 546.559285] ? update_cfs_group+0x84/0x2a0 [ 546.559286] ? account_entity_dequeue+0xdb/0x2b0 [ 546.559288] ? reweight_entity+0x660/0x660 [ 546.559291] ? dequeue_entity+0x302/0xa30 [ 546.559294] ? check_preempt_wakeup+0x4c0/0x500 [ 546.559297] ? task_prio+0x20/0x20 [ 546.559299] ? select_idle_sibling+0xca/0x7b0 [ 546.559302] ? cpuacct_charge+0x127/0x1b0 [ 546.559304] ? cpuusage_read+0x10/0x10 [ 546.559307] ? update_cfs_group+0x84/0x2a0 [ 546.559309] ? account_entity_dequeue+0xdb/0x2b0 [ 546.559312] ? reweight_entity+0x660/0x660 [ 546.559314] ? dequeue_entity+0xa30/0xa30 [ 546.559316] ? select_task_rq_fair+0xb19/0x11e0 [ 546.559318] ? dequeue_entity+0x302/0xa30 [ 546.559320] ? check_preempt_wakeup+0x500/0x500 [ 546.559322] ? select_idle_sibling+0x7b0/0x7b0 [ 546.559330] ? llist_add_batch+0xa3/0xf0 [ 546.559332] ? set_nr_if_polling+0x7a/0xf0 [ 546.559333] ? task_rq_unlock+0x60/0x60 [ 546.559339] ? sched_clock+0x5/0x10 [ 546.559341] ? sched_clock+0x5/0x10 [ 546.559344] ? x2apic_send_IPI+0x63/0x70 [ 546.559347] ? try_to_wake_up+0xe7/0x890 [ 546.559349] ? pick_next_task_fair+0x4a2/0xb60 [ 546.559352] ? load_balance+0x1790/0x1790 [ 546.559354] ? select_idle_sibling+0xca/0x7b0 [ 546.559358] ? __switch_to+0x37a/0x800 [ 546.559361] ? compat_start_thread+0x60/0x60 [ 546.559367] ? _synchronize_rcu_expedited.constprop.75+0x480/0x480 [ 546.559369] ? finish_task_switch+0x116/0x3c0 [ 546.559371] ? __hrtick_start+0x140/0x140 [ 546.559373] ? sched_clock+0x5/0x10 [ 546.559375] ? put_prev_entity+0x98/0x190 [ 546.559378] ? __schedule+0x50b/0xe20 [ 546.559384] ? __read_once_size_nocheck.constprop.6+0x10/0x10 [ 546.559386] ? firmware_map_remove+0x193/0x193 [ 546.559387] ? __wake_up_common+0xb5/0x2f0 [ 546.559390] ? pick_next_task_fair+0x4a2/0xb60 [ 546.559391] ? remove_wait_queue+0x150/0x150 [ 546.559393] ? deref_stack_reg+0xa1/0xe0 [ 546.559397] ? detach_if_pending+0x132/0x240 [ 546.559399] ? __internal_add_timer+0x160/0x160 [ 546.559400] ? lock_timer_base+0x11c/0x170 [ 546.559402] ? detach_if_pending+0x240/0x240 [ 546.559404] ? finish_wait+0x1b0/0x1d0 [ 546.559405] ? __wake_up_common+0x2f0/0x2f0 [ 546.559410] ? ret_from_fork+0x35/0x40 [ 546.559412] ? try_to_del_timer_sync+0xa1/0xe0 [ 546.559414] ? del_timer+0xe0/0xe0 [ 546.559415] ? sched_clock+0x5/0x10 [ 546.559417] ? finish_task_switch+0x116/0x3c0 [ 546.559421] ? kjournald2+0x208/0x650 [ 546.559423] kjournald2+0x208/0x650 [ 546.559425] ? commit_timeout+0x20/0x20 [ 546.559426] ? __schedule+0x50b/0xe20 [ 546.559429] ? kasan_kmalloc+0xa0/0xd0 [ 546.559431] ? kmem_cache_alloc_trace+0xe2/0x1e0 [ 546.559433] ? firmware_map_remove+0x193/0x193 [ 546.559435] ? wait_woken+0x110/0x110 [ 546.559438] ? schedule+0xb0/0x250 [ 546.559439] ? __schedule+0xe20/0xe20 [ 546.559441] ? remove_wait_queue+0x150/0x150 [ 546.559444] ? memcg_kmem_put_cache+0x6c/0x130 [ 546.559446] ? __init_waitqueue_head+0xa0/0xd0 [ 546.559447] ? print_dl_stats+0x50/0x50 [ 546.559450] ? commit_timeout+0x20/0x20 [ 546.559451] kthread+0x19e/0x1c0 [ 546.559453] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 546.559455] ret_from_fork+0x35/0x40 [ 546.559485] Allocated by task 1343: [ 546.559529] kasan_kmalloc+0xa0/0xd0 [ 546.559531] kmem_cache_alloc+0xb6/0x1c0 [ 546.559536] getname_flags+0x6c/0x2a0 [ 546.559538] do_sys_open+0x1cc/0x380 [ 546.559543] do_syscall_64+0x17a/0x330 [ 546.559545] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 546.559571] Freed by task 1343: [ 546.559613] kasan_slab_free+0x71/0xc0 [ 546.559615] kmem_cache_free+0x75/0x1e0 [ 546.559616] do_sys_open+0x1f0/0x380 [ 546.559618] do_syscall_64+0x17a/0x330 [ 546.559619] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 546.559647] The buggy address belongs to the object at ffff8800b0518000 which belongs to the cache names_cache of size 4096 [ 546.559766] The buggy address is located 2520 bytes inside of 4096-byte region [ffff8800b0518000, ffff8800b0519000) [ 546.559878] The buggy address belongs to the page: [ 546.559931] page:ffffea0002c14600 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [ 546.560034] flags: 0xfffffc0008100(slab|head) [ 546.560083] raw: 000fffffc0008100 0000000000000000 0000000000000000 0000000100070007 [ 546.560156] raw: 0000000000000000 0000000100000001 ffff88010cd87d40 0000000000000000 [ 546.560227] page dumped because: kasan: bad access detected [ 546.560306] Memory state around the buggy address: [ 546.560356] ffff8800b0518880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 546.560424] ffff8800b0518900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 546.560492] >ffff8800b0518980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 546.560560] ^ [ 546.562006] ffff8800b0518a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 546.563410] ffff8800b0518a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 546.564800] ================================================================== [ 546.566189] Disabling lock debugging due to kernel taint [ 546.566281] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 546.567687] IP: jbd2_journal_put_journal_head+0x69/0x1fa [ 546.569091] PGD 0 P4D 0 [ 546.570880] Oops: 0000 [#1] SMP KASAN PTI [ 546.572605] Modules linked in: uvcvideo btusb btrtl btbcm snd_ens1371 videobuf2_vmalloc videobuf2_memops btintel videobuf2_v4l2 vmw_balloon snd_ac97_codec input_leds videobuf2_core ac97_bus bluetooth coretemp videodev snd_pcm intel_rapl_perf joydev snd_timer serio_raw snd_rawmidi media snd ecdh_generic soundcore gameport shpchp i2c_piix4 mac_hid vmw_vsock_vmci_transport vsock vmw_vmci ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear vmwgfx drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel syscopyarea sysfillrect pcbc sysimgblt fb_sys_fops ttm aesni_intel [ 546.586085] aes_x86_64 crypto_simd cryptd drm psmouse ahci glue_helper libahci mptspi e1000 scsi_transport_spi mptscsih mptbase pata_acpi hid_generic usbhid hid [ 546.589718] CPU: 3 PID: 1489 Comm: jbd2/loop0-8 Tainted: G B 4.15.15 #1 [ 546.591257] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 546.594780] RIP: 0010:jbd2_journal_put_journal_head+0x69/0x1fa [ 546.596465] RSP: 0018:ffff8800b942ec40 EFLAGS: 00010286 [ 546.598167] RAX: 0000000000000000 RBX: ffff8800b05189d8 RCX: ffffffff8c058959 [ 546.599763] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000008 [ 546.601937] RBP: 0000000000000000 R08: ffffed0027edde58 R09: 0000000000000000 [ 546.604594] R10: fbfbfbfbfbfbfbfb R11: ffffed0027edde57 R12: ffff8800b0518a18 [ 546.606763] R13: ffff88010a3aba48 R14: ffff88010a3aba50 R15: dffffc0000000000 [ 546.608845] FS: 0000000000000000(0000) GS:ffff88010d2c0000(0000) knlGS:0000000000000000 [ 546.610821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 546.612636] CR2: 0000000000000008 CR3: 00000000aca0e006 CR4: 00000000001606e0 [ 546.614380] Call Trace: [ 546.615959] __jbd2_journal_refile_buffer+0x1db/0x1f0 [ 546.617608] ? jbd2_journal_file_buffer+0xa0/0xa0 [ 546.619231] ? kasan_end_report+0x33/0x50 [ 546.620827] ? kasan_report+0x169/0x360 [ 546.622404] jbd2_journal_commit_transaction+0x2e41/0x3bd0 [ 546.623928] ? update_load_avg+0xb81/0x1130 [ 546.625570] ? journal_submit_commit_record+0x4a0/0x4a0 [ 546.627125] ? update_load_avg+0xb81/0x1130 [ 546.628596] ? cpuusage_read+0x10/0x10 [ 546.630076] ? update_curr+0x300/0x430 [ 546.631554] ? switched_from_fair+0x10/0x10 [ 546.632979] ? update_cfs_group+0x84/0x2a0 [ 546.634454] ? account_entity_dequeue+0xdb/0x2b0 [ 546.635814] ? reweight_entity+0x660/0x660 [ 546.637157] ? dequeue_entity+0x302/0xa30 [ 546.638510] ? check_preempt_wakeup+0x4c0/0x500 [ 546.639761] ? task_prio+0x20/0x20 [ 546.640982] ? select_idle_sibling+0xca/0x7b0 [ 546.642208] ? cpuacct_charge+0x127/0x1b0 [ 546.643346] ? cpuusage_read+0x10/0x10 [ 546.644445] ? update_cfs_group+0x84/0x2a0 [ 546.645552] ? account_entity_dequeue+0xdb/0x2b0 [ 546.646589] ? reweight_entity+0x660/0x660 [ 546.647597] ? dequeue_entity+0xa30/0xa30 [ 546.648675] ? select_task_rq_fair+0xb19/0x11e0 [ 546.649715] ? dequeue_entity+0x302/0xa30 [ 546.650637] ? check_preempt_wakeup+0x500/0x500 [ 546.651592] ? select_idle_sibling+0x7b0/0x7b0 [ 546.652538] ? llist_add_batch+0xa3/0xf0 [ 546.653758] ? set_nr_if_polling+0x7a/0xf0 [ 546.654716] ? task_rq_unlock+0x60/0x60 [ 546.655604] ? sched_clock+0x5/0x10 [ 546.656475] ? sched_clock+0x5/0x10 [ 546.657306] ? x2apic_send_IPI+0x63/0x70 [ 546.658178] ? try_to_wake_up+0xe7/0x890 [ 546.658973] ? pick_next_task_fair+0x4a2/0xb60 [ 546.659788] ? load_balance+0x1790/0x1790 [ 546.660599] ? select_idle_sibling+0xca/0x7b0 [ 546.661410] ? __switch_to+0x37a/0x800 [ 546.662198] ? compat_start_thread+0x60/0x60 [ 546.662973] ? _synchronize_rcu_expedited.constprop.75+0x480/0x480 [ 546.663818] ? finish_task_switch+0x116/0x3c0 [ 546.664599] ? __hrtick_start+0x140/0x140 [ 546.665438] ? sched_clock+0x5/0x10 [ 546.666248] ? put_prev_entity+0x98/0x190 [ 546.667011] ? __schedule+0x50b/0xe20 [ 546.667819] ? __read_once_size_nocheck.constprop.6+0x10/0x10 [ 546.668602] ? firmware_map_remove+0x193/0x193 [ 546.669413] ? __wake_up_common+0xb5/0x2f0 [ 546.670223] ? pick_next_task_fair+0x4a2/0xb60 [ 546.671005] ? remove_wait_queue+0x150/0x150 [ 546.671788] ? deref_stack_reg+0xa1/0xe0 [ 546.672568] ? detach_if_pending+0x132/0x240 [ 546.673392] ? __internal_add_timer+0x160/0x160 [ 546.674194] ? lock_timer_base+0x11c/0x170 [ 546.674973] ? detach_if_pending+0x240/0x240 [ 546.675755] ? finish_wait+0x1b0/0x1d0 [ 546.676533] ? __wake_up_common+0x2f0/0x2f0 [ 546.677313] ? ret_from_fork+0x35/0x40 [ 546.678231] ? try_to_del_timer_sync+0xa1/0xe0 [ 546.679083] ? del_timer+0xe0/0xe0 [ 546.679855] ? sched_clock+0x5/0x10 [ 546.680642] ? finish_task_switch+0x116/0x3c0 [ 546.681495] ? kjournald2+0x208/0x650 [ 546.682303] kjournald2+0x208/0x650 [ 546.683083] ? commit_timeout+0x20/0x20 [ 546.683928] ? __schedule+0x50b/0xe20 [ 546.684778] ? kasan_kmalloc+0xa0/0xd0 [ 546.685654] ? kmem_cache_alloc_trace+0xe2/0x1e0 [ 546.686698] ? firmware_map_remove+0x193/0x193 [ 546.687592] ? wait_woken+0x110/0x110 [ 546.688380] ? schedule+0xb0/0x250 [ 546.689180] ? __schedule+0xe20/0xe20 [ 546.690022] ? remove_wait_queue+0x150/0x150 [ 546.690826] ? memcg_kmem_put_cache+0x6c/0x130 [ 546.691685] ? __init_waitqueue_head+0xa0/0xd0 [ 546.692489] ? print_dl_stats+0x50/0x50 [ 546.693278] ? commit_timeout+0x20/0x20 [ 546.694109] kthread+0x19e/0x1c0 [ 546.694907] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 546.695693] ret_from_fork+0x35/0x40 [ 546.696487] Code: 45 08 74 0e f0 80 63 03 fe 5b 5d 41 5c 41 5d 41 5e c3 4c 8d 63 40 4c 89 e7 e8 44 c1 dc ff 48 8b 6b 40 48 8d 7d 08 e8 37 c0 dc ff <8b> 55 08 85 d2 0f 88 08 01 00 00 48 8d 7d 28 e8 23 c1 dc ff 48 [ 546.699248] RIP: jbd2_journal_put_journal_head+0x69/0x1fa RSP: ffff8800b942ec40 [ 546.700163] CR2: 0000000000000008 [ 546.701131] ---[ end trace a8193c5d3f5fb08a ]--- Reported by Wen Xu from SSLab, Gatech.
Created attachment 275167 [details] poc.c
FYI, the reproducer doesn't work unless I revert commit 18db4b4e6fc31 ("ext4: don't allow r/w mounts if metadata blocks overlap the superblock"). So while this might be a different bug, it's not obvious since your reproducer no longer works. Wen, it would save a lot of time if you tested the latest ext4 development branch from kernel.org so that you're including the latest fixes. You *could* test LTS or stable kernels too to identify missed backports (while keeping in mind that it can take several weeks for a patch to land there after being applied upstream), but new bugs really should reported with a working reproducer against the latest ext4 development branch. Thanks!
Yeah this only works with stable kernel 4.15.15 and also influence LTS. Sorry for that!