200345 – Invalid memory access in free_bitmap_node() when mounting a reiserfs filesystem

Bug 200345 - Invalid memory access in free_bitmap_node() when mounting a reiserfs filesystem

Summary: Invalid memory access in free_bitmap_node() when mounting a reiserfs filesystem

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ReiserFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	ReiseFS developers team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-28 20:38 UTC by Wen Xu
Modified:	2018-06-28 20:38 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (67.67 KB, application/zip) 2018-06-28 20:38 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-28 20:38:43 UTC

Created attachment 276999 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 22.img mnt

- Kernel message
[  263.183748] REISERFS (device loop0): found reiserfs format "3.6" with standard journal
[  263.183804] REISERFS (device loop0): using ordered data mode
[  263.183810] reiserfs: using flush barriers
[  263.185791] REISERFS (device loop0): journal params: device loop0, size 8320, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[  263.188198] REISERFS (device loop0): checking transaction log (loop0)
[  263.641303] REISERFS (device loop0): replayed 2 transactions in 0 seconds
[  264.487907] REISERFS warning: reiserfs-5090 is_tree_node: node level 0 does not match to the expected one -1
[  264.487915] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 0. Fsck?
[  264.489937] REISERFS (device loop0): Remounting filesystem read-only
[  264.489967] REISERFS error (device loop0): vs-13070 reiserfs_read_locked_inode: i/o failure occurred trying to find stat data of [1 2 0x0 SD]
[  264.492768] REISERFS warning: reiserfs-5090 is_tree_node: node level 0 does not match to the expected one -1
[  264.492772] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 0. Fsck?
[  264.495086] BUG: unable to handle kernel paging request at ffffc90000e77000
[  264.496504] PGD 1f697f067 P4D 1f697f067 PUD 1f6988067 PMD 1f424b067 PTE 0
[  264.497892] Oops: 0000 [#1] SMP KASAN PTI
[  264.498741] CPU: 1 PID: 1353 Comm: mount Not tainted 4.18.0-rc1+ #8
[  264.500005] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  264.501959] RIP: 0010:cleanup_bitmap_list.isra.11+0x1ca/0x250
[  264.503130] Code: 92 00 00 00 4c 89 f7 e8 c4 71 e9 ff 49 8b 0e 49 63 dd 48 8d 04 dd 00 00 00 00 48 8d 1c 01 48 89 45 d0 48 89 df e8 a6 71 e9 ff <48> 8b 1b 48 85 db 0f 84 70 ff ff ff 49 8d 7c 24 18 e8 90 71 e9 ff 
[  264.506914] RSP: 0018:ffff8801f11bf908 EFLAGS: 00010246
[  264.507981] RAX: 0000000000000000 RBX: ffffc90000e77000 RCX: ffffffffa550662a
[  264.509408] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90000e77000
[  264.510849] RBP: ffff8801f11bf960 R08: ffffed0039ac0001 R09: ffffed0039ac0001
[  264.512277] R10: 0000000000000001 R11: ffffed0039ac0000 R12: ffff8801e63b4500
[  264.513707] R13: 0000000000000200 R14: ffffc90000f0e190 R15: ffff8801f1a9f700
[  264.548358] FS:  00007f8a6212e840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  264.549983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  264.551159] CR2: ffffc90000e77000 CR3: 00000001f1d0c000 CR4: 00000000000006e0
[  264.552604] Call Trace:
[  264.553128]  free_list_bitmaps+0x35/0x70
[  264.553930]  free_journal_ram+0x8f/0x1e0
[  264.554746]  journal_release_error+0x55/0x70
[  264.555618]  reiserfs_fill_super+0x900/0x1550
[  264.556509]  ? finish_unfinished+0x940/0x940
[  264.557421]  ? netdev_bits+0x50/0x50
[  264.558185]  ? __asan_loadN+0xf/0x20
[  264.558932]  ? format_decode+0x2af/0x4a0
[  264.559736]  ? vsnprintf+0x55f/0x980
[  264.560472]  ? pointer+0x520/0x520
[  264.561198]  ? up_write+0x16/0x40
[  264.561886]  ? snprintf+0x96/0xd0
[  264.562583]  ? vsprintf+0x20/0x20
[  264.563279]  ? set_blocksize+0x90/0x140
[  264.564075]  mount_bdev+0x1c5/0x210
[  264.564793]  ? finish_unfinished+0x940/0x940
[  264.565665]  get_super_block+0x15/0x20
[  264.566445]  mount_fs+0x60/0x1a0
[  264.567123]  ? alloc_vfsmnt+0x309/0x360
[  264.567913]  vfs_kern_mount+0x6b/0x1a0
[  264.568684]  do_mount+0x34a/0x18c0
[  264.569412]  ? lockref_put_or_lock+0xcf/0x160
[  264.570304]  ? copy_mount_string+0x20/0x20
[  264.571151]  ? kasan_kmalloc+0xad/0xe0
[  264.571922]  ? kmem_cache_alloc_trace+0x102/0x200
[  264.572878]  ? copy_mount_options+0x4b/0x190
[  264.573753]  ? copy_mount_options+0xd5/0x190
[  264.574634]  ksys_mount+0x83/0xd0
[  264.575320]  __x64_sys_mount+0x67/0x80
[  264.576111]  do_syscall_64+0x78/0x170
[  264.576882]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  264.577922] RIP: 0033:0x7f8a61a0eb9a
[  264.578662] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 
[  264.582455] RSP: 002b:00007ffff18e8788 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  264.583963] RAX: ffffffffffffffda RBX: 0000000001a57030 RCX: 00007f8a61a0eb9a
[  264.585382] RDX: 0000000001a57210 RSI: 0000000001a58f50 RDI: 0000000001a5fee0
[  264.586821] RBP: 0000000000000000 R08: 0000000001a57230 R09: 0000000000000017
[  264.588248] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001a5fee0
[  264.589671] R13: 0000000001a57210 R14: 0000000000000000 R15: 0000000000000005
[  264.591115] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  264.600894] CR2: ffffc90000e77000
[  264.601585] ---[ end trace 2e85051acb5f6dc1 ]---
[  264.602540] RIP: 0010:cleanup_bitmap_list.isra.11+0x1ca/0x250
[  264.603695] Code: 92 00 00 00 4c 89 f7 e8 c4 71 e9 ff 49 8b 0e 49 63 dd 48 8d 04 dd 00 00 00 00 48 8d 1c 01 48 89 45 d0 48 89 df e8 a6 71 e9 ff <48> 8b 1b 48 85 db 0f 84 70 ff ff ff 49 8d 7c 24 18 e8 90 71 e9 ff 
[  264.607495] RSP: 0018:ffff8801f11bf908 EFLAGS: 00010246
[  264.608549] RAX: 0000000000000000 RBX: ffffc90000e77000 RCX: ffffffffa550662a
[  264.609984] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90000e77000
[  264.611422] RBP: ffff8801f11bf960 R08: ffffed0039ac0001 R09: ffffed0039ac0001
[  264.612846] R10: 0000000000000001 R11: ffffed0039ac0000 R12: ffff8801e63b4500
[  264.614275] R13: 0000000000000200 R14: ffffc90000f0e190 R15: ffff8801f1a9f700
[  264.615711] FS:  00007f8a6212e840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  264.617319] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  264.618482] CR2: ffffc90000e77000 CR3: 00000001f1d0c000 CR4: 00000000000006e0

- Reason
Kernel crashes here: https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/journal.c#L186
	if (journal->j_free_bitmap_nodes > REISERFS_MAX_BITMAP_NODES) {
		kfree(bn->data);
		kfree(bn);

which indicates that `bn` passed in from cleanup_bitmap_list() is invalid.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.