210181 – KASAN: stack-out-of-bounds in check_root_item()

Bug 210181 - KASAN: stack-out-of-bounds in check_root_item()

Summary: KASAN: stack-out-of-bounds in check_root_item()

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-11-13 01:50 UTC by Daniel Xu
Modified:	2020-11-13 01:50 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.10-rc3
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
fuzzed image (9.01 KB, application/zstd) 2020-11-13 01:50 UTC, Daniel Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Xu 2020-11-13 01:50:23 UTC

Created attachment 293655 [details]
fuzzed image

Found a KASAN crash while fuzzing images:


[    7.323015] BTRFS critical (device loop0): corrupt leaf: root=1 block=30556160 slot=3, invalid root item size, have 473 expect 439 or 239
[    7.330454] ==================================================================
[    7.332382] BUG: KASAN: stack-out-of-bounds in read_extent_buffer+0x163/0x260
[    7.334804] Write of size 473 at addr ffff88800953f5b8 by task kworker/u2:1/84
[    7.337118]
[    7.339136]
[    7.339473] The buggy address belongs to the page:
[    7.340464]
[    7.340764] addr ffff88800953f5b8 is located in stack of task kworker/u2:1/84 at offset 32 in frame:
[    7.343086]  check_root_item+0x0/0x480
[    7.343842]
[    7.344178] this frame has 1 object:
[    7.344909]  [32, 471) 'ri'
[    7.344916]
[    7.345794] Memory state around the buggy address:
[    7.346776]  ffff88800953f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    7.348300]  ffff88800953f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    7.349577] >ffff88800953f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 f3 f3
[    7.350774]                                                           ^
[    7.353095]  ffff88800953f780: f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
[    7.354173]  ffff88800953f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    7.355203] ==================================================================
[    7.357470] BTRFS critical (device loop0): corrupt leaf: root=1 block=30556160 slot=4, bad key order, prev (2063597573 132 8192) current (6 1 0)
[    7.359746] BTRFS error (device loop0): block=30556160 read time tree block corruption detected
[    7.361979] BTRFS error (device loop0): bad tree block start, want 30523392 have 476771903232
[    7.364429] BTRFS critical (device loop0): corrupt leaf: root=18446744073709551607 block=30490624 slot=0 ino=256, unknown mode bit detected: 0x140000
[    7.366908] BTRFS error (device loop0): block=30490624 read time tree block corruption detected
[    7.368885] BTRFS error (device loop0): dev extent physical offset 13631488 on devid 1 doesn't have corresponding chunk
[    7.370457] BTRFS error (device loop0): failed to verify dev extents against chunks: -117
[    7.373526] BTRFS error (device loop0): open_ctree failed


Attached is a zstd compressed fuzzed image

Note You need to log in before you can comment on or make changes to this bug.