Bug 202761 - out-of-bound access in read_extent_buffer() when mounting and operating a crafted btrfs image
Summary: out-of-bound access in read_extent_buffer() when mounting and operating a cra...
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: BTRFS virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-04 21:00 UTC by Jungyeon
Modified: 2019-05-21 12:18 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.0-rc8
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (167.28 KB, application/zip)
2019-03-04 21:00 UTC, Jungyeon
Details
16.c (1.90 KB, text/x-csrc)
2019-03-04 21:01 UTC, Jungyeon
Details
Minimized test code (978 bytes, text/x-csrc)
2019-03-07 04:02 UTC, Jungyeon
Details

Description Jungyeon 2019-03-04 21:00:45 UTC
Created attachment 281495 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this kernel panic while running attached program.

- Produces
mkdir test
mount -t btrfs 16.img test 
gcc 16.c
cp a.out test
cd test
./a.out

- Kernel messages
[  144.814665] general protection fault: 0000 [#1] SMP PTI
[  144.816462] CPU: 0 PID: 1178 Comm: a.out Not tainted 5.0.0-rc8+ #9
[  144.818539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  144.820730] RIP: 0010:read_extent_buffer+0xab/0x140
[  144.821935] Code: 8b 32 48 29 c8 48 39 d8 48 0f 47 c3 48 2b 35 a4 ba 18 01 48 c1 fe 06 48 c1 e6 0c 48 03 35 a5 ba 18 01 48 01 ce 83 f8 08 72 a9 <48> 8b 0e 48 83 c2 08 49 89 0c 24 89 c1 48 8b 7c 0e f8 49 89 7c 0c
[  144.826527] RSP: 0018:ffffa13bc12dfba0 EFLAGS: 00010206
[  144.827825] RAX: 00000000000008f8 RBX: fffffffffffed8f8 RCX: 0000000000000708
[  144.829583] RDX: ffff9529afb838d8 RSI: ffece4e37e800708 RDI: ffff9529afb837a8
[  144.831682] RBP: ffffa13bc12dfbb0 R08: 0000000000001000 R09: ffffa13bc12dfb78
[  144.833907] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9529abeebb58
[  144.836264] R13: 0000000000000000 R14: 0000000004c00000 R15: 0000000000001000
[  144.838628] FS:  00007f1e42c0b700(0000) GS:ffff9529b7a00000(0000) knlGS:0000000000000000
[  144.840741] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  144.842224] CR2: 00007ffdb9b56f88 CR3: 00000002354e8003 CR4: 00000000000206f0
[  144.844105] Call Trace:
[  144.844772]  __btrfs_lookup_bio_sums+0x449/0x690
[  144.845998]  btrfs_lookup_bio_sums+0x16/0x20
[  144.849900]  btrfs_submit_bio_hook+0xc3/0x180
[  144.851219]  submit_one_bio+0x5d/0x80
[  144.852154]  extent_read_full_page+0x56/0x70
[  144.853233]  btrfs_readpage+0x25/0x30
[  144.854163]  generic_file_read_iter+0x615/0xc70
[  144.855311]  ? __page_cache_alloc+0x20/0x20
[  144.856365]  __vfs_read+0x11f/0x1a0
[  144.857247]  vfs_read+0x95/0x140
[  144.858065]  ksys_read+0x55/0xc0
[  144.858903]  __x64_sys_read+0x1a/0x20
[  144.859841]  do_syscall_64+0x5a/0x110
[  144.860776]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  144.862051] RIP: 0033:0x7f1e427264d9
[  144.862975] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[  144.867552] RSP: 002b:00007ffdb9b57188 EFLAGS: 00000203 ORIG_RAX: 0000000000000000
[  144.869414] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1e427264d9
[  144.871192] RDX: 00000000000009e4 RSI: 00007ffdb9b57310 RDI: 0000000000000003
[  144.872971] RBP: 00007ffdb9b5b320 R08: 00007ffdb9b5b408 R09: 00007ffdb9b5b408
[  144.874762] R10: 00007f1e429ffab0 R11: 0000000000000203 R12: 00000000004004e0
[  144.876528] R13: 00007ffdb9b5b400 R14: 0000000000000000 R15: 0000000000000000
[  144.878293] Modules linked in:
[  144.879121] ---[ end trace b6bb486fcc833d02 ]---
[  144.880296] RIP: 0010:read_extent_buffer+0xab/0x140
[  144.881527] Code: 8b 32 48 29 c8 48 39 d8 48 0f 47 c3 48 2b 35 a4 ba 18 01 48 c1 fe 06 48 c1 e6 0c 48 03 35 a5 ba 18 01 48 01 ce 83 f8 08 72 a9 <48> 8b 0e 48 83 c2 08 49 89 0c 24 89 c1 48 8b 7c 0e f8 49 89 7c 0c
[  144.886215] RSP: 0018:ffffa13bc12dfba0 EFLAGS: 00010206
[  144.887548] RAX: 00000000000008f8 RBX: fffffffffffed8f8 RCX: 0000000000000708
[  144.889328] RDX: ffff9529afb838d8 RSI: ffece4e37e800708 RDI: ffff9529afb837a8
[  144.891106] RBP: ffffa13bc12dfbb0 R08: 0000000000001000 R09: ffffa13bc12dfb78
[  144.892886] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9529abeebb58
[  144.894675] R13: 0000000000000000 R14: 0000000004c00000 R15: 0000000000001000
[  144.896460] FS:  00007f1e42c0b700(0000) GS:ffff9529b7a00000(0000) knlGS:0000000000000000
[  144.898499] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  144.899950] CR2: 00007ffdb9b56f88 CR3: 00000002354e8003 CR4: 00000000000206f0
Segmentation fault (core dumped)
Comment 1 Jungyeon 2019-03-04 21:01:03 UTC
Created attachment 281497 [details]
16.c
Comment 2 Jungyeon 2019-03-07 04:02:54 UTC
Created attachment 281555 [details]
Minimized test code

Attaching minimized version of program with the same result. (Plz use this)
Comment 3 David Sterba 2019-05-21 12:18:08 UTC
Thanks for the report. Fixed by 448de471cd4cab0ced "btrfs: Check the first key and level for cached extent buffer", now in 5.2-rc.

Note You need to log in before you can comment on or make changes to this bug.