200235 – Out-of-bound access in gfs2_read_sb() when mounting a corrupted gfs2 image

Bug 200235 - Out-of-bound access in gfs2_read_sb() when mounting a corrupted gfs2 image

Summary: Out-of-bound access in gfs2_read_sb() when mounting a corrupted gfs2 image

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-24 05:16 UTC by Wen Xu
Modified:	2021-01-12 11:43 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (59.06 KB, application/zip) 2018-06-24 05:16 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-24 05:16:20 UTC

Created attachment 276777 [details]
The (compressed) crafted image which causes crash

- Overview
Out-of-bound access in gfs2_read_sb() when mounting a corrupted gfs2 image

- Reproduce
# mkdir mnt
# mount -t gfs2 1.img mnt

- Kernel message
[  714.370787] gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0"
[  714.370791] gfs2: fsid=loop0: Now mounting FS...
[  714.371815] ==================================================================
[  714.373480] BUG: KASAN: slab-out-of-bounds in init_sb+0x39f/0x6b0
[  714.374697] Write of size 8 at addr ffff8801f3c77298 by task mount/1388

[  714.376348] CPU: 1 PID: 1388 Comm: mount Not tainted 4.18.0-rc1+ #5
[  714.376351] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  714.376359] Call Trace:
[  714.376378]  dump_stack+0x7b/0xb5
[  714.376392]  print_address_description+0x70/0x290
[  714.376397]  kasan_report+0x291/0x390
[  714.376401]  ? init_sb+0x39f/0x6b0
[  714.376407]  __asan_store8+0x57/0x90
[  714.376411]  init_sb+0x39f/0x6b0
[  714.376416]  ? gfs2_lookup_root+0xc0/0xc0
[  714.376424]  ? gfs2_glock_nq_num+0xcd/0x160
[  714.376429]  fill_super+0xc99/0x1400
[  714.376433]  ? fill_super+0xc99/0x1400
[  714.376438]  ? gfs2_online_uevent+0x170/0x170
[  714.376443]  ? gfs2_glock_nq_num+0xcd/0x160
[  714.376450]  ? snprintf+0x96/0xd0
[  714.376453]  ? vsprintf+0x20/0x20
[  714.376463]  ? set_blocksize+0x90/0x140
[  714.376468]  gfs2_mount+0x367/0x3c2
[  714.376472]  ? gfs2_mount+0x367/0x3c2
[  714.376476]  ? fill_super+0x1400/0x1400
[  714.376482]  ? memcpy+0x45/0x50
[  714.376488]  mount_fs+0x60/0x1a0
[  714.376494]  ? alloc_vfsmnt+0x309/0x360
[  714.376499]  vfs_kern_mount+0x6b/0x1a0
[  714.376505]  do_mount+0x34a/0x18c0
[  714.376516]  ? lockref_put_or_lock+0xcf/0x160
[  714.376522]  ? copy_mount_string+0x20/0x20
[  714.376529]  ? memcg_kmem_put_cache+0x1b/0xa0
[  714.376534]  ? kasan_check_write+0x14/0x20
[  714.376540]  ? _copy_from_user+0x6a/0x90
[  714.376552]  ? memdup_user+0x42/0x60
[  714.376558]  ksys_mount+0x83/0xd0
[  714.376563]  __x64_sys_mount+0x67/0x80
[  714.376571]  do_syscall_64+0x78/0x170
[  714.376580]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  714.376593] RIP: 0033:0x7f7298411b9a
[  714.376594] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[  714.376653] RSP: 002b:00007ffedbc22008 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[  714.376662] RAX: ffffffffffffffda RBX: 000000000067e030 RCX: 00007f7298411b9a
[  714.376665] RDX: 000000000067e210 RSI: 000000000067ff30 RDI: 0000000000686ec0
[  714.376667] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[  714.376669] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000686ec0
[  714.376672] R13: 000000000067e210 R14: 0000000000000000 R15: 0000000000000003

[  714.377020] Allocated by task 1388:
[  714.377736]  save_stack+0x46/0xd0
[  714.377740]  kasan_kmalloc+0xad/0xe0
[  714.377744]  kmem_cache_alloc_trace+0x102/0x200
[  714.377748]  fill_super+0xd1/0x1400
[  714.377751]  gfs2_mount+0x367/0x3c2
[  714.377754]  mount_fs+0x60/0x1a0
[  714.377758]  vfs_kern_mount+0x6b/0x1a0
[  714.377761]  do_mount+0x34a/0x18c0
[  714.377765]  ksys_mount+0x83/0xd0
[  714.377769]  __x64_sys_mount+0x67/0x80
[  714.377773]  do_syscall_64+0x78/0x170
[  714.377776]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  714.378100] Freed by task 1:
[  714.378688]  save_stack+0x46/0xd0
[  714.378691]  __kasan_slab_free+0x13c/0x1a0
[  714.378694]  kasan_slab_free+0xe/0x10
[  714.378697]  kfree+0x8c/0x1c0
[  714.378710]  proc_cgroup_show+0x264/0x390
[  714.378717]  proc_single_show+0x8d/0xe0
[  714.378721]  seq_read+0x365/0x870
[  714.378727]  __vfs_read+0xe7/0x400
[  714.378730]  vfs_read+0xbf/0x1b0
[  714.378734]  ksys_read+0xb4/0x140
[  714.378738]  __x64_sys_read+0x43/0x50
[  714.378741]  do_syscall_64+0x78/0x170
[  714.378745]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  714.379066] The buggy address belongs to the object at ffff8801f3c76600
                which belongs to the cache kmalloc-4096 of size 4096
[  714.381679] The buggy address is located 3224 bytes inside of
                4096-byte region [ffff8801f3c76600, ffff8801f3c77600)
[  714.384061] The buggy address belongs to the page:
[  714.385168] page:ffffea0007cf1c00 count:1 mapcount:0 mapping:ffff8801f68028c0 index:0x0 compound_mapcount: 0
[  714.387120] flags: 0x2ffff0000008100(slab|head)
[  714.388045] raw: 02ffff0000008100 ffffea0007714c00 0000000200000002 ffff8801f68028c0
[  714.389706] raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
[  714.391246] page dumped because: kasan: bad access detected

[  714.392710] Memory state around the buggy address:
[  714.393790]  ffff8801f3c77180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  714.395237]  ffff8801f3c77200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  714.396659] >ffff8801f3c77280: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[  714.398105]                             ^
[  714.398913]  ffff8801f3c77300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  714.400345]  ffff8801f3c77380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  714.401788] ==================================================================
[  714.403218] Disabling lock debugging due to kernel taint
[  714.404611] BUG: unable to handle kernel paging request at ffff8801f3cc6000
[  714.406036] PGD 1351f1067 P4D 1351f1067 PUD 23fffc067 PMD 1ee365063 PTE 80000001f3cc6061
[  714.407667] Oops: 0003 [#1] SMP KASAN PTI
[  714.407967] show_signal_msg: 5 callbacks suppressed
[  714.407973] in:imklog[943]: segfault at 8 ip 00007fd470cbbdd4 sp 00007fd46f5c4380 error 4
[  714.408479] CPU: 1 PID: 1388 Comm: mount Tainted: G    B             4.18.0-rc1+ #5
[  714.409540]  in libc-2.23.so[7fd470c3a000+1c0000]
[  714.411147] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  714.413704] RIP: 0010:init_sb+0x3a4/0x6b0
[  714.415560] Code:
[  714.416368] Code: 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb 08 e8 81 61 b0 ff 4c
[  714.416827] 08 00
[  714.419290] 89
[  714.419292] 00 41
[  714.419711] e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40
[  714.419731] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246
[  714.419735] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd
[  714.419739] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000
[  714.420112] 83
[  714.420533] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  714.422234] ee
[  714.423278] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd
[  714.424700] 01
[  714.426099] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18
[  714.426467] 4d
[  714.427875] FS:  00007f7298b31840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  714.427878] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  714.427880] CR2: ffff8801f3cc6000 CR3: 00000001dda8e000 CR4: 00000000000006e0
[  714.427896] Call Trace:
[  714.428263] 89
[  714.429689]  ? gfs2_lookup_root+0xc0/0xc0
[  714.430049] 45
[  714.431456]  ? gfs2_glock_nq_num+0xcd/0x160
[  714.431840] 18
[  714.433424]  fill_super+0xc99/0x1400
[  714.434550] 49
[  714.435960]  ? fill_super+0xc99/0x1400
[  714.435967]  ? gfs2_online_uevent+0x170/0x170
[  714.435972]  ? gfs2_glock_nq_num+0xcd/0x160
[  714.435976]  ? snprintf+0x96/0xd0
[  714.435982]  ? vsprintf+0x20/0x20
[  714.436478] 89
[  714.436847]  ? set_blocksize+0x90/0x140
[  714.437752] 7d
[  714.438123]  gfs2_mount+0x367/0x3c2
[  714.438944] 10
[  714.439314]  ? gfs2_mount+0x367/0x3c2
[  714.440043] 4c
[  714.440390]  ? fill_super+0x1400/0x1400
[  714.441246] 89
[  714.442120]  ? memcpy+0x45/0x50
[  714.442943] 6f
[  714.443614]  mount_fs+0x60/0x1a0
[  714.443619]  ? alloc_vfsmnt+0x309/0x360
[  714.443624]  vfs_kern_mount+0x6b/0x1a0
[  714.443629]  do_mount+0x34a/0x18c0
[  714.443634]  ? lockref_put_or_lock+0xcf/0x160
[  714.443640]  ? copy_mount_string+0x20/0x20
[  714.444301] 18
[  714.444670]  ? memcg_kmem_put_cache+0x1b/0xa0
[  714.445539] 4d
[  714.445910]  ? kasan_check_write+0x14/0x20
[  714.446596] 89
[  714.446966]  ? _copy_from_user+0x6a/0x90
[  714.447712] 68
[  714.448059]  ? memdup_user+0x42/0x60
[  714.448820] 10
[  714.449200]  ksys_mount+0x83/0xd0
[  714.449828] 0f
[  714.450197]  __x64_sys_mount+0x67/0x80
[  714.450837] 84
[  714.451610]  do_syscall_64+0x78/0x170
[  714.451615]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  714.451618] RIP: 0033:0x7f7298411b9a
[  714.451619] Code: 48 8b 0d 01 c3 2b 00 f7 d8
[  714.452381] a0
[  714.453075] 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48
[  714.453970] 03
[  714.454789] 8b
[  714.455151] 00
[  714.456018] 0d ce c2 2b 00 f7 d8 64 89 01 48
[  714.456028] RSP: 002b:00007ffedbc22008 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[  714.456032] RAX: ffffffffffffffda RBX: 000000000067e030 RCX: 00007f7298411b9a
[  714.456035] RDX: 000000000067e210 RSI: 000000000067ff30 RDI: 0000000000686ec0
[  714.456037] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[  714.456039] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000686ec0
[  714.456044] R13: 000000000067e210 R14: 0000000000000000 R15: 0000000000000003
[  714.456411] 00
[  714.464037] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp
[  714.464581] 4c
[  714.465407]  libiscsi
[  714.465760] 8b
[  714.466494]  scsi_transport_iscsi
[  714.466851] 6b
[  714.467530]  raid10
[  714.467914] 70
[  714.468652]  raid456
[  714.469123] 4d
[  714.469875]  async_raid6_recov
[  714.470869] 39
[  714.471598]  async_memcpy
[  714.472482] e5
[  714.472835]  async_pq
[  714.475451] 0f
[  714.475829]  async_xor async_tx raid1
[  714.476233] 84
[  714.476595]  raid0
[  714.477565] 93
[  714.479064]  multipath
[  714.480490] 03
[  714.481893]  linear
[  714.483291] 00
[  714.484699]  8139too qxl crct10dif_pclmul drm_kms_helper crc32_pclmul
[  714.486226] 00
[  714.486595]  aesni_intel
[  714.490379] <49>
[  714.490730]  syscopyarea
[  714.491191] 8b
[  714.491564]  sysfillrect
[  714.492251] 75
[  714.492599]  sysimgblt
[  714.493145] 08
[  714.493521]  fb_sys_fops
[  714.493961] 4d
[  714.494326]  ttm
[  714.494937] 8b
[  714.495309]  aes_x86_64
[  714.495856] 7d
[  714.496203]  crypto_simd
[  714.496667] 18
[  714.497043]  drm cryptd glue_helper 8139cp mii floppy pata_acpi
[  714.497101] CR2: ffff8801f3cc6000
[  714.497112] ---[ end trace ca288c45eff59b79 ]---
[  714.497836] 48
[  714.498207] RIP: 0010:init_sb+0x3a4/0x6b0
[  714.498614] 83
[  714.498977] Code:
[  714.499455] fe
[  714.499818] 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb
[  714.500277] 10
[  714.500641] 08
[  714.502010] 0f
[  714.502377] e8
[  714.502889] 86
[  714.503288] 81
[  714.503863] 5a
[  714.504170] 61
[  714.504693] 01
[  714.505168] b0
[  714.505647] 00
[  714.506011] ff
[  714.506520] 00
[  714.506884] 4c
[  714.507261] 48
[  714.507623] 89 e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40
[  714.507644] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246
[  714.507650] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd
[  714.508151] 3b
[  714.508517] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000
[  714.509132] b3
[  714.509501] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  714.510652] 80
[  714.511318] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd
[  714.512592] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18
[  714.524433] BUG: Bad rss-counter state mm:0000000096943bbf idx:1 val:35
[  714.525287] FS:  00007f7298b31840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  714.536699] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  714.537979] CR2: ffff8801f3cc6000 CR3: 00000001dda8e000 CR4: 00000000000006e0
[  714.542601] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[  714.544193] PGD 80000001e4ee5067 P4D 80000001e4ee5067 PUD 1f3d45067 PMD 0
[  714.545685] Oops: 0010 [#2] SMP KASAN PTI
[  714.546499] CPU: 0 PID: 1156 Comm: kworker/u4:0 Tainted: G    B D           4.18.0-rc1+ #5
[  714.548133] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  714.550124] Workqueue: events_unbound flush_to_ldisc
[  714.551114] RIP: 0010:          (null)
[  714.551857] Code: Bad RIP value.
[  714.552529] RSP: 0018:ffff8801e4bf7ac0 EFLAGS: 00010046
[  714.553689] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000001
[  714.555083] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801f3cbf9d0
[  714.556482] RBP: ffff8801e4bf7b18 R08: 0000000000000001 R09: 0000000000000000
[  714.557990] R10: 0000000000000001 R11: ffffed003cdab554 R12: ffff8801e6d5aaa8
[  714.559389] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801f3cbf9d0
[  714.560788] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  714.562483] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  714.563616] CR2: ffffffffffffffd6 CR3: 00000001efae4000 CR4: 00000000000006f0
[  714.565123] Call Trace:
[  714.565644]  ? __wake_up_common+0xc6/0x1e0
[  714.566473]  __wake_up_common_lock+0xea/0x190
[  714.567346]  ? __wake_up_common+0x1e0/0x1e0
[  714.568188]  ? update_load_avg+0x898/0xc80
[  714.569115]  __wake_up+0x13/0x20
[  714.569777]  n_tty_receive_buf_common+0x400/0x10f0
[  714.570728]  ? pick_next_task_fair+0x60a/0xb40
[  714.571635]  ? __switch_to+0x3a1/0x6e0
[  714.572388]  n_tty_receive_buf2+0x14/0x20
[  714.573220]  tty_ldisc_receive_buf+0x65/0xe0
[  714.574087]  ? n_tty_receive_buf_common+0x10f0/0x10f0
[  714.575098]  tty_port_default_receive_buf+0x54/0x80
[  714.576074]  flush_to_ldisc+0x13d/0x170
[  714.576853]  process_one_work+0x302/0x770
[  714.577679]  worker_thread+0x81/0x6d0
[  714.578425]  kthread+0x180/0x1d0
[  714.579083]  ? rescuer_thread+0x710/0x710
[  714.579891]  ? kthread_associate_blkcg+0x150/0x150
[  714.580852]  ret_from_fork+0x35/0x40
[  714.581587] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl crct10dif_pclmul drm_kms_helper crc32_pclmul aesni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aes_x86_64 crypto_simd drm cryptd glue_helper 8139cp mii floppy pata_acpi
[  714.590871] CR2: 0000000000000000
[  714.591546] ---[ end trace ca288c45eff59b7a ]---
[  714.592473] RIP: 0010:init_sb+0x3a4/0x6b0
[  714.593288] Code: 00 4c 39 f8 0f 85 82 02 00 00 41 bf 02 00 00 00 45 89 fd 41 83 c7 01 49 83 c5 28 4a 8d 7c eb 08 e8 81 61 b0 ff 4c 89 e1 31 d2 <4e> 89 74 eb 08 49 0f af ce 48 89 c8 49 f7 f4 4c 39 f0 49 89 ce 40
[  714.597035] RSP: 0018:ffff8801e0aa78a0 EFLAGS: 00010246
[  714.598074] RAX: 0000000000000000 RBX: ffff8801f3c76600 RCX: 00000000fffffffd
[  714.599481] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801f3cc6000
[  714.600883] RBP: ffff8801e0aa7990 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  714.602314] R10: 0000000000000001 R11: ffffed003ede3eba R12: 00000000fffffffd
[  714.603733] R13: 0000000000009f3f R14: 0000000000000000 R15: 0000000000009f18
[  714.605155] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  714.606758] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  714.607905] CR2: ffffffffffffffd6 CR3: 00000001efae4000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/gfs2/ops_fstype.c#L322
	for (x = 2;; x++) {
		u64 space, d;
		u32 m;

		space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
		d = space;
		m = do_div(d, sdp->sd_inptrs);

		if (d != sdp->sd_heightsize[x - 1] || m)
			break;
		sdp->sd_heightsize[x] = space;
	}
x can be out-of-boundary of sd_heightsize in this loop.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Comment 1 Andy Price 2021-01-12 11:43:58 UTC

Fixed by 0ddc5154b24c96f20e94d653b0a814438de6032b - thanks.

Note You need to log in before you can comment on or make changes to this bug.