202763 – out-of-bound access in end_bio_extent_readpage() when mounting and operating a crafted btrfs image

Bug 202763 - out-of-bound access in end_bio_extent_readpage() when mounting and operating a crafted btrfs image

Summary: out-of-bound access in end_bio_extent_readpage() when mounting and operating ...

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-04 21:03 UTC by Jungyeon
Modified:	2019-05-21 12:11 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0-rc8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (166.44 KB, application/zip) 2019-03-04 21:03 UTC, Jungyeon	Details
17.c (3.50 KB, text/x-csrc) 2019-03-04 21:03 UTC, Jungyeon	Details
Minimized test code (511 bytes, text/x-csrc) 2019-03-07 04:04 UTC, Jungyeon	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-04 21:03:29 UTC

Created attachment 281499 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this kernel panic while running attached program.

- Produces
mkdir test
mount -t btrfs 17.img test
gcc 17.c
cp a.out test
cd test
./a.out

-
[  122.405625] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[  122.409410] #PF error: [normal kernel read fault]
[  122.411074] PGD 8000000235518067 P4D 8000000235518067 PUD 235493067 PMD 0 
[  122.413360] Oops: 0000 [#1] SMP PTI
[  122.414603] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W         5.0.0-rc8+ #9
[  122.417142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  122.420117] RIP: 0010:end_bio_extent_readpage+0x146/0x660
[  122.421926] Code: 8b 4f 90 89 4d c0 0f 84 89 01 00 00 49 8b 85 40 fe ff ff 41 89 c9 49 89 f0 48 89 d9 4c 89 fa 48 8b 75 98 48 8b bd 70 ff ff ff <48> 8b 40 08 e8 61 d9 b0 00 85 c0 0f 85 5a 01 00 00 4d 8b 8d e0 fd
[  122.427996] RSP: 0018:ffff8e52b7a03cf8 EFLAGS: 00010202
[  122.429742] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  122.432120] RDX: ffffdca108d5ab00 RSI: 0000000000000000 RDI: ffff8e52ab9e8140
[  122.434584] RBP: ffff8e52b7a03da0 R08: 0000000000000fff R09: 0000000000000000
[  122.436766] R10: ffff8e52ab5ac000 R11: ffffffff8fdf3c80 R12: 0000000000001000
[  122.438941] R13: ffff8e52aae4cf60 R14: ffff8e52b560a000 R15: ffffdca108d5ab00
[  122.441312] FS:  0000000000000000(0000) GS:ffff8e52b7a00000(0000) knlGS:0000000000000000
[  122.445922] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  122.447848] CR2: 0000000000000008 CR3: 0000000231d48003 CR4: 00000000000206f0
[  122.450302] Call Trace:
[  122.451145]  <IRQ>
[  122.451848]  bio_endio+0xc4/0x140
[  122.453009]  blk_update_request+0x98/0x2e0
[  122.454405]  scsi_end_request+0x35/0x1a0
[  122.455736]  scsi_io_completion+0x93/0x670
[  122.457123]  ? ata_bmdma_port_intr+0x31/0xe0
[  122.458648]  scsi_finish_command+0xdc/0x130
[  122.460067]  scsi_softirq_done+0x142/0x160
[  122.461448]  blk_done_softirq+0x92/0xc0
[  122.462759]  __do_softirq+0xf9/0x2c3
[  122.463968]  irq_exit+0xca/0xd0
[  122.465035]  do_IRQ+0x57/0xe0
[  122.466057]  common_interrupt+0xf/0xf
[  122.467295]  </IRQ>
[  122.468022] RIP: 0010:native_safe_halt+0x6/0x10
[  122.469635] Code: 70 ff ff ff 7f 5d c3 65 48 8b 04 25 00 5c 01 00 3e 80 48 02 20 48 8b 00 a8 08 74 8b eb c1 90 90 90 90 90 90 55 48 89 e5 fb f4 <5d> c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 f4 5d c3 90 90 90 90 90
[  122.475811] RSP: 0018:ffffffff8fc03e00 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffdb
[  122.478334] RAX: ffffffff8f13b440 RBX: 0000000000000000 RCX: 0000000000000001
[  122.480696] RDX: ffff8e52b7a238c0 RSI: ffffffff8fc03dc8 RDI: 0000000000000000
[  122.483023] RBP: ffffffff8fc03e00 R08: 0000000000000004 R09: 00000000000002c6
[  122.485384] R10: ffffb9fe81233a68 R11: 0000000000000000 R12: 0000000000000000
[  122.487777] R13: ffffffff8fc2f740 R14: 0000000000000000 R15: 0000000000000000
[  122.490167]  ? __cpuidle_text_start+0x8/0x8
[  122.491576]  default_idle+0x20/0x150
[  122.492789]  arch_cpu_idle+0x15/0x20
[  122.494066]  default_idle_call+0x23/0x30
[  122.495392]  do_idle+0x1c8/0x280
[  122.496491]  cpu_startup_entry+0x1d/0x20
[  122.497822]  rest_init+0xaa/0xb0
[  122.498918]  arch_call_rest_init+0xe/0x1b
[  122.500269]  start_kernel+0x50e/0x52f
[  122.501511]  x86_64_start_reservations+0x24/0x26
[  122.503056]  x86_64_start_kernel+0x74/0x77
[  122.504435]  secondary_startup_64+0xa4/0xb0
[  122.505913] Modules linked in:
[  122.506951] CR2: 0000000000000008
[  122.508068] ---[ end trace 6f78050277132df2 ]---
[  122.509624] RIP: 0010:end_bio_extent_readpage+0x146/0x660
[  122.511425] Code: 8b 4f 90 89 4d c0 0f 84 89 01 00 00 49 8b 85 40 fe ff ff 41 89 c9 49 89 f0 48 89 d9 4c 89 fa 48 8b 75 98 48 8b bd 70 ff ff ff <48> 8b 40 08 e8 61 d9 b0 00 85 c0 0f 85 5a 01 00 00 4d 8b 8d e0 fd
[  122.517710] RSP: 0018:ffff8e52b7a03cf8 EFLAGS: 00010202
[  122.519464] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  122.521846] RDX: ffffdca108d5ab00 RSI: 0000000000000000 RDI: ffff8e52ab9e8140
[  122.524063] RBP: ffff8e52b7a03da0 R08: 0000000000000fff R09: 0000000000000000
[  122.526449] R10: ffff8e52ab5ac000 R11: ffffffff8fdf3c80 R12: 0000000000001000
[  122.528830] R13: ffff8e52aae4cf60 R14: ffff8e52b560a000 R15: ffffdca108d5ab00
[  122.531231] FS:  0000000000000000(0000) GS:ffff8e52b7a00000(0000) knlGS:0000000000000000
[  122.533937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  122.535855] CR2: 0000000000000008 CR3: 0000000231d48003 CR4: 00000000000206f0
[  122.538290] Kernel panic - not syncing: Fatal exception in interrupt
[  122.554214] Kernel Offset: 0xd400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  122.557529] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Comment 1 Jungyeon 2019-03-04 21:03:47 UTC

Created attachment 281501 [details]
17.c

Comment 2 Jungyeon 2019-03-07 04:04:01 UTC

Created attachment 281557 [details]
Minimized test code

Attaching minimized version of program with the same result. (Plz use this)

Comment 3 David Sterba 2019-05-21 12:11:18 UTC

Fixed by 6bf9e4bd6a277 "btrfs: inode: Verify inode mode to avoid NULL pointer dereference", now in 5.2-rc1.

Note You need to log in before you can comment on or make changes to this bug.