Created attachment 299989 [details] poc and .config - Overview An array-index-out-of-bounds at fs/btrfs/struct-funcs.c:btrfs_get_16() reported by UBSAN when mounting a corrupted image - Reproduce tested on kernel 5.16-rc4 $ sudo mount tmp1.img mnt - Kernel dump [ 350.411942] loop0: detected capacity change from 0 to 262144 [ 350.427058] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/loop0 scanned by systemd-udevd (1044) [ 350.428564] BTRFS info (device loop0): disk space caching is enabled [ 350.428568] BTRFS info (device loop0): has skinny extents [ 350.429589] ================================================================================ [ 350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1 [ 350.429636] index 1048096 is out of range for type 'page *[16]' [ 350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1 [ 350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs] [ 350.429772] Call Trace: [ 350.429774] <TASK> [ 350.429776] dump_stack_lvl+0x47/0x5c [ 350.429780] ubsan_epilogue+0x5/0x50 [ 350.429786] __ubsan_handle_out_of_bounds+0x66/0x70 [ 350.429791] btrfs_get_16+0xfd/0x120 [btrfs] [ 350.429832] check_leaf+0x754/0x1a40 [btrfs] [ 350.429874] ? filemap_read+0x34a/0x390 [ 350.429878] ? load_balance+0x175/0xfc0 [ 350.429881] validate_extent_buffer+0x244/0x310 [btrfs] [ 350.429911] btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs] [ 350.429935] end_bio_extent_readpage+0x3af/0x850 [btrfs] [ 350.429969] ? newidle_balance+0x259/0x480 [ 350.429972] end_workqueue_fn+0x29/0x40 [btrfs] [ 350.429995] btrfs_work_helper+0x71/0x330 [btrfs] [ 350.430030] ? __schedule+0x2fb/0xa40 [ 350.430033] process_one_work+0x1f6/0x400 [ 350.430035] ? process_one_work+0x400/0x400 [ 350.430036] worker_thread+0x2d/0x3d0 [ 350.430037] ? process_one_work+0x400/0x400 [ 350.430038] kthread+0x165/0x190 [ 350.430041] ? set_kthread_struct+0x40/0x40 [ 350.430043] ret_from_fork+0x1f/0x30 [ 350.430047] </TASK> [ 350.430047] ================================================================================ [ 350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2 [ 350.430092] general protection fault, probably for non-canonical address 0x8570240000f7a: 0000 [#1] PREEMPT SMP NOPTI [ 350.430114] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1 [ 350.430129] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 350.430146] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs] [ 350.430192] RIP: 0010:btrfs_get_16+0x83/0x120 [btrfs] [ 350.430231] Code: 8b 46 70 48 2b 05 2d 34 e6 d8 48 c1 f8 06 48 c1 e0 0c 48 03 05 2e 34 e6 d8 48 89 c3 e8 16 fb ff ff 49 81 fc ff 0f 00 00 74 24 <42> 0f b7 04 23 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 75 4d 48 [ 350.430267] RSP: 0018:ffffa02bc0053bf8 EFLAGS: 00010297 [ 350.430279] RAX: 0000000000000000 RBX: 0008570240000000 RCX: 0000000000000001 [ 350.430294] RDX: 0000000000000000 RSI: ffffffff9932e181 RDI: 00000000ffffffff [ 350.430309] RBP: 00000000000ffe20 R08: 0000000000000000 R09: 0000000000000001 [ 350.430323] R10: 0000000000000017 R11: 0000000000000034 R12: 0000000000000f7a [ 350.430353] R13: ffff93235139fa00 R14: ffff932351b9eb00 R15: 00000000ffe20f4e [ 350.430367] FS: 0000000000000000(0000) GS:ffff932535c00000(0000) knlGS:0000000000000000 [ 350.430383] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 350.430395] CR2: 00007f5660a73d20 CR3: 000000010089a006 CR4: 0000000000370ef0 [ 350.430411] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 350.430426] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 350.430440] Call Trace: [ 350.430445] <TASK> [ 350.430451] check_leaf+0x754/0x1a40 [btrfs] [ 350.430497] ? filemap_read+0x34a/0x390 [ 350.430507] ? load_balance+0x175/0xfc0 [ 350.430517] validate_extent_buffer+0x244/0x310 [btrfs] [ 350.430552] btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs] [ 350.430585] end_bio_extent_readpage+0x3af/0x850 [btrfs] [ 350.430625] ? newidle_balance+0x259/0x480 [ 350.430636] end_workqueue_fn+0x29/0x40 [btrfs] [ 350.430667] btrfs_work_helper+0x71/0x330 [btrfs] [ 350.430708] ? __schedule+0x2fb/0xa40 [ 350.430718] process_one_work+0x1f6/0x400 [ 350.430727] ? process_one_work+0x400/0x400 [ 350.430736] worker_thread+0x2d/0x3d0 [ 350.430745] ? process_one_work+0x400/0x400 [ 350.430754] kthread+0x165/0x190 [ 350.430763] ? set_kthread_struct+0x40/0x40 [ 350.430773] ret_from_fork+0x1f/0x30 [ 350.430782] </TASK> [ 350.430787] Modules linked in: joydev input_leds serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic usbhid hid aesni_intel crypto_simd psmouse cryptd [ 350.431775] ---[ end trace e9e1c34113eb7f2f ]--- [ 350.432216] RIP: 0010:btrfs_get_16+0x83/0x120 [btrfs] [ 350.432696] Code: 8b 46 70 48 2b 05 2d 34 e6 d8 48 c1 f8 06 48 c1 e0 0c 48 03 05 2e 34 e6 d8 48 89 c3 e8 16 fb ff ff 49 81 fc ff 0f 00 00 74 24 <42> 0f b7 04 23 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 75 4d 48 [ 350.433583] RSP: 0018:ffffa02bc0053bf8 EFLAGS: 00010297 [ 350.434064] RAX: 0000000000000000 RBX: 0008570240000000 RCX: 0000000000000001 [ 350.434520] RDX: 0000000000000000 RSI: ffffffff9932e181 RDI: 00000000ffffffff [ 350.434967] RBP: 00000000000ffe20 R08: 0000000000000000 R09: 0000000000000001 [ 350.435417] R10: 0000000000000017 R11: 0000000000000034 R12: 0000000000000f7a [ 350.435849] R13: ffff93235139fa00 R14: ffff932351b9eb00 R15: 00000000ffe20f4e [ 350.436280] FS: 0000000000000000(0000) GS:ffff932535c00000(0000) knlGS:0000000000000000 [ 350.436709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 350.437123] CR2: 00007f5660a73d20 CR3: 000000010089a006 CR4: 0000000000370ef0 [ 350.437545] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 350.437946] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Thanks for the report. Fixed by https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/#t .
(In reply to David Sterba from comment #1) > Thanks for the report. Fixed by > https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/ > #t . Hi David, Thank you for your reply. I have noticed that the fix is not for earlier versions and when I test it for earlier versions I got some general protection fault. Wondering if I can request a CVE for the bug with the current fix in this case? Thanks, Wenqing
(In reply to Wenqing Liu from comment #2) > (In reply to David Sterba from comment #1) > > Thanks for the report. Fixed by > > > https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/ > > #t . > > Hi David, > > Thank you for your reply. > I have noticed that the fix is not for earlier versions and when I test it > for earlier versions I got some general protection fault. Wondering if I can > request a CVE for the bug with the current fix in this case? > > Thanks, > Wenqing This is my fault. The bug is still unfixed. The link posted above is to fix the another bug also reported by you: https://bugzilla.kernel.org/show_bug.cgi?id=215289.