Created attachment 276777 [details] The (compressed) crafted image which causes crash - Overview Out-of-bound access in gfs2_read_sb() when mounting a corrupted gfs2 image - Reproduce # mkdir mnt # mount -t gfs2 1.img mnt - Kernel message [ 714.370787] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" [ 714.370791] gfs2: fsid=loop0: Now mounting FS... [ 714.371815] ================================================================== [ 714.373480] BUG: KASAN: slab-out-of-bounds in init_sb+0x39f/0x6b0 [ 714.374697] Write of size 8 at addr ffff8801f3c77298 by task mount/1388 [ 714.376348] CPU: 1 PID: 1388 Comm: mount Not tainted 4.18.0-rc1+ #5 [ 714.376351] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 714.376359] Call Trace: [ 714.376378] dump_stack+0x7b/0xb5 [ 714.376392] print_address_description+0x70/0x290 [ 714.376397] kasan_report+0x291/0x390 [ 714.376401] ? init_sb+0x39f/0x6b0 [ 714.376407] __asan_store8+0x57/0x90 [ 714.376411] init_sb+0x39f/0x6b0 [ 714.376416] ? gfs2_lookup_root+0xc0/0xc0 [ 714.376424] ? gfs2_glock_nq_num+0xcd/0x160 [ 714.376429] fill_super+0xc99/0x1400 [ 714.376433] ? fill_super+0xc99/0x1400 [ 714.376438] ? gfs2_online_uevent+0x170/0x170 [ 714.376443] ? gfs2_glock_nq_num+0xcd/0x160 [ 714.376450] ? snprintf+0x96/0xd0 [ 714.376453] ? vsprintf+0x20/0x20 [ 714.376463] ? set_blocksize+0x90/0x140 [ 714.376468] gfs2_mount+0x367/0x3c2 [ 714.376472] ? gfs2_mount+0x367/0x3c2 [ 714.376476] ? fill_super+0x1400/0x1400 [ 714.376482] ? memcpy+0x45/0x50 [ 714.376488] mount_fs+0x60/0x1a0 [ 714.376494] ? alloc_vfsmnt+0x309/0x360 [ 714.376499] vfs_kern_mount+0x6b/0x1a0 [ 714.376505] do_mount+0x34a/0x18c0 [ 714.376516] ? lockref_put_or_lock+0xcf/0x160 [ 714.376522] ? copy_mount_string+0x20/0x20 [ 714.376529] ? memcg_kmem_put_cache+0x1b/0xa0 [ 714.376534] ? kasan_check_write+0x14/0x20 [ 714.376540] ? _copy_from_user+0x6a/0x90 [ 714.376552] ? memdup_user+0x42/0x60 [ 714.376558] ksys_mount+0x83/0xd0 [ 714.376563] __x64_sys_mount+0x67/0x80 [ 714.376571] do_syscall_64+0x78/0x170 [ 714.376580] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 714.376593] RIP: 0033:0x7f7298411b9a [ 714.376594] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 714.376653] RSP: 002b:00007ffedbc22008 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 714.376662] RAX: ffffffffffffffda RBX: 000000000067e030 RCX: 00007f7298411b9a [ 714.376665] RDX: 000000000067e210 RSI: 000000000067ff30 RDI: 0000000000686ec0 [ 714.376667] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 [ 714.376669] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000686ec0 [ 714.376672] R13: 000000000067e210 R14: 0000000000000000 R15: 0000000000000003 [ 714.377020] Allocated by task 1388: [ 714.377736] save_stack+0x46/0xd0 [ 714.377740] kasan_kmalloc+0xad/0xe0 [ 714.377744] kmem_cache_alloc_trace+0x102/0x200 [ 714.377748] fill_super+0xd1/0x1400 [ 714.377751] gfs2_mount+0x367/0x3c2 [ 714.377754] mount_fs+0x60/0x1a0 [ 714.377758] vfs_kern_mount+0x6b/0x1a0 [ 714.377761] do_mount+0x34a/0x18c0 [ 714.377765] ksys_mount+0x83/0xd0 [ 714.377769] __x64_sys_mount+0x67/0x80 [ 714.377773] do_syscall_64+0x78/0x170 [ 714.377776] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 714.378100] Freed by task 1: [ 714.378688] save_stack+0x46/0xd0 [ 714.378691] __kasan_slab_free+0x13c/0x1a0 [ 714.378694] kasan_slab_free+0xe/0x10 [ 714.378697] kfree+0x8c/0x1c0 [ 714.378710] proc_cgroup_show+0x264/0x390 [ 714.378717] proc_single_show+0x8d/0xe0 [ 714.378721] seq_read+0x365/0x870 [ 714.378727] __vfs_read+0xe7/0x400 [ 714.378730] vfs_read+0xbf/0x1b0 [ 714.378734] ksys_read+0xb4/0x140 [ 714.378738] __x64_sys_read+0x43/0x50 [ 714.378741] do_syscall_64+0x78/0x170 [ 714.378745] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 714.379066] The buggy address belongs to the object at ffff8801f3c76600 which belongs to the cache kmalloc-4096 of size 4096 [ 714.381679] The buggy address is located 3224 bytes inside of 4096-byte region [ffff8801f3c76600, ffff8801f3c77600) [ 714.384061] The buggy address belongs to the page: [ 714.385168] page:ffffea0007cf1c00 count:1 mapcount:0 mapping:ffff8801f68028c0 index:0x0 compound_mapcount: 0 [ 714.387120] flags: 0x2ffff0000008100(slab|head) [ 714.388045] raw: 02ffff0000008100 ffffea0007714c00 0000000200000002 ffff8801f68028c0 [ 714.389706] raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 [ 714.391246] page dumped because: kasan: bad access detected [ 714.392710] Memory state around the buggy address: [ 714.393790] ffff8801f3c77180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 714.395237] ffff8801f3c77200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 714.396659] >ffff8801f3c77280: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 714.398105] ^ [ 714.398913] ffff8801f3c77300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 714.400345] ffff8801f3c77380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 714.401788] ================================================================== [ 714.403218] Disabling lock debugging due to kernel taint [ 714.404611] BUG: unable to handle kernel paging request at ffff8801f3cc6000 [ 714.406036] PGD 1351f1067 P4D 1351f1067 PUD 23fffc067 PMD 1ee365063 PTE 80000001f3cc6061 [ 714.407667] Oops: 0003 [#1] SMP KASAN PTI [ 714.407967] show_signal_msg: 5 callbacks suppressed [ 714.407973] in:imklog[943]: segfault at 8 ip 00007fd470cbbdd4 sp 00007fd46f5c4380 error 4 [ 714.408479] CPU: 1 PID: 1388 Comm: mount Tainted: G B 4.18.0-rc1+ #5 [ 714.409540] in libc-2.23.so[7fd470c3a000+1c0000] [ 714.411147] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 714.413704] RIP: 0010:init_sb+0x3a4/0x6b0 [ 714.415560] Code: [ 714.416368] Code: 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb 08 e8 81 61 b0 ff 4c [ 714.416827] 08 00 [ 714.419290] 89 [ 714.419292] 00 41 [ 714.419711] e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40 [ 714.419731] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246 [ 714.419735] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd [ 714.419739] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000 [ 714.420112] 83 [ 714.420533] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 714.422234] ee [ 714.423278] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd [ 714.424700] 01 [ 714.426099] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18 [ 714.426467] 4d [ 714.427875] FS: 00007f7298b31840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 714.427878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 714.427880] CR2: ffff8801f3cc6000 CR3: 00000001dda8e000 CR4: 00000000000006e0 [ 714.427896] Call Trace: [ 714.428263] 89 [ 714.429689] ? gfs2_lookup_root+0xc0/0xc0 [ 714.430049] 45 [ 714.431456] ? gfs2_glock_nq_num+0xcd/0x160 [ 714.431840] 18 [ 714.433424] fill_super+0xc99/0x1400 [ 714.434550] 49 [ 714.435960] ? fill_super+0xc99/0x1400 [ 714.435967] ? gfs2_online_uevent+0x170/0x170 [ 714.435972] ? gfs2_glock_nq_num+0xcd/0x160 [ 714.435976] ? snprintf+0x96/0xd0 [ 714.435982] ? vsprintf+0x20/0x20 [ 714.436478] 89 [ 714.436847] ? set_blocksize+0x90/0x140 [ 714.437752] 7d [ 714.438123] gfs2_mount+0x367/0x3c2 [ 714.438944] 10 [ 714.439314] ? gfs2_mount+0x367/0x3c2 [ 714.440043] 4c [ 714.440390] ? fill_super+0x1400/0x1400 [ 714.441246] 89 [ 714.442120] ? memcpy+0x45/0x50 [ 714.442943] 6f [ 714.443614] mount_fs+0x60/0x1a0 [ 714.443619] ? alloc_vfsmnt+0x309/0x360 [ 714.443624] vfs_kern_mount+0x6b/0x1a0 [ 714.443629] do_mount+0x34a/0x18c0 [ 714.443634] ? lockref_put_or_lock+0xcf/0x160 [ 714.443640] ? copy_mount_string+0x20/0x20 [ 714.444301] 18 [ 714.444670] ? memcg_kmem_put_cache+0x1b/0xa0 [ 714.445539] 4d [ 714.445910] ? kasan_check_write+0x14/0x20 [ 714.446596] 89 [ 714.446966] ? _copy_from_user+0x6a/0x90 [ 714.447712] 68 [ 714.448059] ? memdup_user+0x42/0x60 [ 714.448820] 10 [ 714.449200] ksys_mount+0x83/0xd0 [ 714.449828] 0f [ 714.450197] __x64_sys_mount+0x67/0x80 [ 714.450837] 84 [ 714.451610] do_syscall_64+0x78/0x170 [ 714.451615] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 714.451618] RIP: 0033:0x7f7298411b9a [ 714.451619] Code: 48 8b 0d 01 c3 2b 00 f7 d8 [ 714.452381] a0 [ 714.453075] 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 [ 714.453970] 03 [ 714.454789] 8b [ 714.455151] 00 [ 714.456018] 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 714.456028] RSP: 002b:00007ffedbc22008 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 714.456032] RAX: ffffffffffffffda RBX: 000000000067e030 RCX: 00007f7298411b9a [ 714.456035] RDX: 000000000067e210 RSI: 000000000067ff30 RDI: 0000000000686ec0 [ 714.456037] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 [ 714.456039] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000686ec0 [ 714.456044] R13: 000000000067e210 R14: 0000000000000000 R15: 0000000000000003 [ 714.456411] 00 [ 714.464037] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp [ 714.464581] 4c [ 714.465407] libiscsi [ 714.465760] 8b [ 714.466494] scsi_transport_iscsi [ 714.466851] 6b [ 714.467530] raid10 [ 714.467914] 70 [ 714.468652] raid456 [ 714.469123] 4d [ 714.469875] async_raid6_recov [ 714.470869] 39 [ 714.471598] async_memcpy [ 714.472482] e5 [ 714.472835] async_pq [ 714.475451] 0f [ 714.475829] async_xor async_tx raid1 [ 714.476233] 84 [ 714.476595] raid0 [ 714.477565] 93 [ 714.479064] multipath [ 714.480490] 03 [ 714.481893] linear [ 714.483291] 00 [ 714.484699] 8139too qxl crct10dif_pclmul drm_kms_helper crc32_pclmul [ 714.486226] 00 [ 714.486595] aesni_intel [ 714.490379] <49> [ 714.490730] syscopyarea [ 714.491191] 8b [ 714.491564] sysfillrect [ 714.492251] 75 [ 714.492599] sysimgblt [ 714.493145] 08 [ 714.493521] fb_sys_fops [ 714.493961] 4d [ 714.494326] ttm [ 714.494937] 8b [ 714.495309] aes_x86_64 [ 714.495856] 7d [ 714.496203] crypto_simd [ 714.496667] 18 [ 714.497043] drm cryptd glue_helper 8139cp mii floppy pata_acpi [ 714.497101] CR2: ffff8801f3cc6000 [ 714.497112] ---[ end trace ca288c45eff59b79 ]--- [ 714.497836] 48 [ 714.498207] RIP: 0010:init_sb+0x3a4/0x6b0 [ 714.498614] 83 [ 714.498977] Code: [ 714.499455] fe [ 714.499818] 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb [ 714.500277] 10 [ 714.500641] 08 [ 714.502010] 0f [ 714.502377] e8 [ 714.502889] 86 [ 714.503288] 81 [ 714.503863] 5a [ 714.504170] 61 [ 714.504693] 01 [ 714.505168] b0 [ 714.505647] 00 [ 714.506011] ff [ 714.506520] 00 [ 714.506884] 4c [ 714.507261] 48 [ 714.507623] 89 e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40 [ 714.507644] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246 [ 714.507650] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd [ 714.508151] 3b [ 714.508517] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000 [ 714.509132] b3 [ 714.509501] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 714.510652] 80 [ 714.511318] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd [ 714.512592] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18 [ 714.524433] BUG: Bad rss-counter state mm:0000000096943bbf idx:1 val:35 [ 714.525287] FS: 00007f7298b31840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 714.536699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 714.537979] CR2: ffff8801f3cc6000 CR3: 00000001dda8e000 CR4: 00000000000006e0 [ 714.542601] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 714.544193] PGD 80000001e4ee5067 P4D 80000001e4ee5067 PUD 1f3d45067 PMD 0 [ 714.545685] Oops: 0010 [#2] SMP KASAN PTI [ 714.546499] CPU: 0 PID: 1156 Comm: kworker/u4:0 Tainted: G B D 4.18.0-rc1+ #5 [ 714.548133] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 714.550124] Workqueue: events_unbound flush_to_ldisc [ 714.551114] RIP: 0010: (null) [ 714.551857] Code: Bad RIP value. [ 714.552529] RSP: 0018:ffff8801e4bf7ac0 EFLAGS: 00010046 [ 714.553689] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000001 [ 714.555083] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801f3cbf9d0 [ 714.556482] RBP: ffff8801e4bf7b18 R08: 0000000000000001 R09: 0000000000000000 [ 714.557990] R10: 0000000000000001 R11: ffffed003cdab554 R12: ffff8801e6d5aaa8 [ 714.559389] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801f3cbf9d0 [ 714.560788] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 714.562483] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 714.563616] CR2: ffffffffffffffd6 CR3: 00000001efae4000 CR4: 00000000000006f0 [ 714.565123] Call Trace: [ 714.565644] ? __wake_up_common+0xc6/0x1e0 [ 714.566473] __wake_up_common_lock+0xea/0x190 [ 714.567346] ? __wake_up_common+0x1e0/0x1e0 [ 714.568188] ? update_load_avg+0x898/0xc80 [ 714.569115] __wake_up+0x13/0x20 [ 714.569777] n_tty_receive_buf_common+0x400/0x10f0 [ 714.570728] ? pick_next_task_fair+0x60a/0xb40 [ 714.571635] ? __switch_to+0x3a1/0x6e0 [ 714.572388] n_tty_receive_buf2+0x14/0x20 [ 714.573220] tty_ldisc_receive_buf+0x65/0xe0 [ 714.574087] ? n_tty_receive_buf_common+0x10f0/0x10f0 [ 714.575098] tty_port_default_receive_buf+0x54/0x80 [ 714.576074] flush_to_ldisc+0x13d/0x170 [ 714.576853] process_one_work+0x302/0x770 [ 714.577679] worker_thread+0x81/0x6d0 [ 714.578425] kthread+0x180/0x1d0 [ 714.579083] ? rescuer_thread+0x710/0x710 [ 714.579891] ? kthread_associate_blkcg+0x150/0x150 [ 714.580852] ret_from_fork+0x35/0x40 [ 714.581587] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl crct10dif_pclmul drm_kms_helper crc32_pclmul aesni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aes_x86_64 crypto_simd drm cryptd glue_helper 8139cp mii floppy pata_acpi [ 714.590871] CR2: 0000000000000000 [ 714.591546] ---[ end trace ca288c45eff59b7a ]--- [ 714.592473] RIP: 0010:init_sb+0x3a4/0x6b0 [ 714.593288] Code: 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb 08 e8 81 61 b0 ff 4c 89 e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40 [ 714.597035] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246 [ 714.598074] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd [ 714.599481] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000 [ 714.600883] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 714.602314] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd [ 714.603733] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18 [ 714.605155] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 714.606758] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 714.607905] CR2: ffffffffffffffd6 CR3: 00000001efae4000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/gfs2/ops_fstype.c#L322 for (x = 2;; x++) { u64 space, d; u32 m; space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs; d = space; m = do_div(d, sdp->sd_inptrs); if (d != sdp->sd_heightsize[x - 1] || m) break; sdp->sd_heightsize[x] = space; } x can be out-of-boundary of sd_heightsize in this loop. Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.
Fixed by 0ddc5154b24c96f20e94d653b0a814438de6032b - thanks.