202769 – out-of-bound access in __btrfs_cow_block while mounting and operating a crafted btrfs image

Bug 202769 - out-of-bound access in __btrfs_cow_block while mounting and operating a crafted btrfs image

Summary: out-of-bound access in __btrfs_cow_block while mounting and operating a craft...

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-04 21:19 UTC by Jungyeon
Modified:	2019-05-21 12:19 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0-rc8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (166.22 KB, application/zip) 2019-03-04 21:19 UTC, Jungyeon	Details
22.c (2.53 KB, text/x-csrc) 2019-03-04 21:20 UTC, Jungyeon	Details
Minimized test code (575 bytes, text/x-csrc) 2019-03-07 04:04 UTC, Jungyeon	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-04 21:19:55 UTC

Created attachment 281507 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this NULL pointer dereference while running attached program.

- Produces
mkdir test
mount -t btrfs 22.img test
gcc 22.c
cp a.out test
cd test
./a.out
(and just wait a few second to get errors)

- Kernel messages
[   81.231074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[   81.233956] #PF error: [normal kernel read fault]
[   81.235685] PGD 80000002355cd067 P4D 80000002355cd067 PUD 2355cc067 PMD 0 
[   81.237940] Oops: 0000 [#1] SMP PTI
[   81.238835] CPU: 0 PID: 1134 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9
[   81.240607] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   81.242862] RIP: 0010:__btrfs_cow_block+0x21f/0x580
[   81.244095] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48
[   81.248776] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202
[   81.250117] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00
[   81.251909] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000
[   81.253712] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920
[   81.255508] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118
[   81.257303] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690
[   81.259111] FS:  0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000
[   81.261141] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.265238] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0
[   81.268691] Call Trace:
[   81.269927]  btrfs_cow_block+0xf8/0x1f0
[   81.271773]  btrfs_search_slot+0x447/0x920
[   81.273752]  btrfs_del_csums+0xc3/0x3a0
[   81.275594]  __btrfs_free_extent.isra.72+0x5a7/0xbe0
[   81.277941]  __btrfs_run_delayed_refs+0x539/0x1120
[   81.280044]  btrfs_run_delayed_refs+0xdb/0x1b0
[   81.281924]  btrfs_commit_transaction+0x52/0x950
[   81.283445]  ? start_transaction+0x94/0x450
[   81.284826]  transaction_kthread+0x163/0x190
[   81.286246]  kthread+0x105/0x140
[   81.287316]  ? btrfs_cleanup_transaction+0x560/0x560
[   81.288944]  ? kthread_destroy_worker+0x50/0x50
[   81.290233]  ret_from_fork+0x35/0x40
[   81.291397] Modules linked in:
[   81.292407] CR2: 0000000000000098
[   81.293505] ---[ end trace c9ebaababb72398a ]---
[   81.295035] RIP: 0010:__btrfs_cow_block+0x21f/0x580
[   81.296631] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48
[   81.302344] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202
[   81.304052] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00
[   81.306391] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000
[   81.308527] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920
[   81.310849] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118
[   81.313156] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690
[   81.315390] FS:  0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000
[   81.317914] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   81.319781] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0

Comment 1 Jungyeon 2019-03-04 21:20:12 UTC

Created attachment 281509 [details]
22.c

Comment 2 Jungyeon 2019-03-07 04:04:54 UTC

Created attachment 281559 [details]
Minimized test code

Attaching minimized version of program with the same result. (Plz use this)

Comment 3 David Sterba 2019-05-21 12:19:07 UTC

Thanks for the report. Fixed by 448de471cd4cab0ced "btrfs: Check the first key and level for cached extent buffer", now in 5.2-rc.

Note You need to log in before you can comment on or make changes to this bug.