202767 – out-of-bound access in bio_endio while mounting and operating a crafted btrfs image

Bug 202767 - out-of-bound access in bio_endio while mounting and operating a crafted btrfs image

Summary: out-of-bound access in bio_endio while mounting and operating a crafted btrfs...

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-04 21:16 UTC by Jungyeon
Modified:	2019-05-21 12:18 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0-rc8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (166.94 KB, application/zip) 2019-03-04 21:16 UTC, Jungyeon	Details
21.c (2.96 KB, text/x-csrc) 2019-03-04 21:16 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-04 21:16:09 UTC

Created attachment 281503 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this segmentation fault while running attached program.

- Produces
mkdir test
mount -t btrfs 21.img test 
gcc 21.c
cp a.out test
cd test
./a.out

- Kernel messages
[  104.074760] BTRFS critical (device sdb): unable to find logical 1314033701376 length 4096
[  104.077789] general protection fault: 0000 [#1] SMP PTI
[  104.079734] CPU: 0 PID: 1152 Comm: a.out Tainted: G        W         5.0.0-rc8+ #9
[  104.081949] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  104.084169] RIP: 0010:bio_endio+0x5b/0x140
[  104.085215] Code: 5d c3 66 81 63 14 7f ff f6 43 12 01 74 13 48 83 7b 58 00 74 0c 48 89 df e8 42 a2 02 00 84 c0 74 d8 48 8b 43 08 48 85 c0 74 18 <48> 8b 80 08 04 00 00 48 8b 78 28 48 85 ff 74 08 48 89 de e8 2d 59
[  104.089845] RSP: 0018:ffffad778117fc68 EFLAGS: 00010282
[  104.091154] RAX: 98f9418998f94189 RBX: ffff90636b9e8cf0 RCX: 00000000fffffff0
[  104.092947] RDX: ffffffff91878720 RSI: ffffffffffffffff RDI: ffff90636b9e8cf0
[  104.094724] RBP: ffffad778117fc88 R08: 0000000000000001 R09: 0000000000000004
[  104.096509] R10: ffffe9c908b974c0 R11: ffffad778117f8ed R12: ffff90636b9e8cf0
[  104.098300] R13: 0000000000000000 R14: ffff906371d70000 R15: 0000000000000000
[  104.100081] FS:  00007fd2fc403700(0000) GS:ffff906377a00000(0000) knlGS:0000000000000000
[  104.102098] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.103539] CR2: 00007fd2fbf1e4c0 CR3: 000000022ffdc001 CR4: 00000000000206f0
[  104.105340] Call Trace:
[  104.105974]  btrfs_submit_bio_hook+0x91/0x180
[  104.107070]  submit_one_bio+0x5d/0x80
[  104.107997]  extent_read_full_page+0x56/0x70
[  104.109075]  btrfs_readpage+0x25/0x30
[  104.110005]  generic_file_read_iter+0x615/0xc70
[  104.111145]  ? __page_cache_alloc+0x20/0x20
[  104.112210]  __vfs_read+0x11f/0x1a0
[  104.113116]  vfs_read+0x95/0x140
[  104.113945]  ksys_read+0x55/0xc0
[  104.114774]  __x64_sys_read+0x1a/0x20
[  104.115709]  do_syscall_64+0x5a/0x110
[  104.116662]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  104.117936] RIP: 0033:0x7fd2fbf1e4d9
[  104.118845] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[  104.123461] RSP: 002b:00007fff4d6827f8 EFLAGS: 00000203 ORIG_RAX: 0000000000000000
[  104.125348] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd2fbf1e4d9
[  104.127126] RDX: 00000000000009e4 RSI: 00007fff4d6829f0 RDI: 0000000000000003
[  104.128918] RBP: 00007fff4d686a00 R08: 00007fff4d686ae8 R09: 00007fff4d686ae8
[  104.130706] R10: 00007fd2fc1f7ab0 R11: 0000000000000203 R12: 00000000004004e0
[  104.132487] R13: 00007fff4d686ae0 R14: 0000000000000000 R15: 0000000000000000
[  104.134276] Modules linked in:
[  104.135067] ---[ end trace 44723ca489b4896b ]---
[  104.136252] RIP: 0010:bio_endio+0x5b/0x140
[  104.137305] Code: 5d c3 66 81 63 14 7f ff f6 43 12 01 74 13 48 83 7b 58 00 74 0c 48 89 df e8 42 a2 02 00 84 c0 74 d8 48 8b 43 08 48 85 c0 74 18 <48> 8b 80 08 04 00 00 48 8b 78 28 48 85 ff 74 08 48 89 de e8 2d 59
[  104.141943] RSP: 0018:ffffad778117fc68 EFLAGS: 00010282
[  104.143249] RAX: 98f9418998f94189 RBX: ffff90636b9e8cf0 RCX: 00000000fffffff0
[  104.145052] RDX: ffffffff91878720 RSI: ffffffffffffffff RDI: ffff90636b9e8cf0
[  104.146819] RBP: ffffad778117fc88 R08: 0000000000000001 R09: 0000000000000004
[  104.148602] R10: ffffe9c908b974c0 R11: ffffad778117f8ed R12: ffff90636b9e8cf0
[  104.150379] R13: 0000000000000000 R14: ffff906371d70000 R15: 0000000000000000
[  104.152160] FS:  00007fd2fc403700(0000) GS:ffff906377a00000(0000) knlGS:0000000000000000
[  104.154189] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.155617] CR2: 00007fd2fbf1e4c0 CR3: 000000022ffdc001 CR4: 00000000000206f0
Segmentation fault (core dumped)

Comment 1 Jungyeon 2019-03-04 21:16:28 UTC

Created attachment 281505 [details]
21.c

Comment 2 David Sterba 2019-05-21 12:18:33 UTC

Thanks for the report. Fixed by 448de471cd4cab0ced "btrfs: Check the first key and level for cached extent buffer", now in 5.2-rc.

Note You need to log in before you can comment on or make changes to this bug.