Bug 216540 - FUZZ: kernel BUG at kernel BUG at fs/ext4/ext4.h:2413 when mount and operate on crafted image
Summary: FUZZ: kernel BUG at kernel BUG at fs/ext4/ext4.h:2413 when mount and operate ...
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-28 22:41 UTC by Wenqing Liu
Modified: 2022-09-28 22:41 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.15.71, 6.0-rc7
Tree: Mainline
Regression: No


Attachments
poc and .config (68.26 KB, application/zip)
2022-09-28 22:41 UTC, Wenqing Liu
Details

Description Wenqing Liu 2022-09-28 22:41:10 UTC
Created attachment 301891 [details]
poc and .config

- Overview 
FUZZ: kernel BUG at fs/ext4/ext4.h:ext4_rec_len_to_disk() when mount and operate on crafted image

- Reproduce 
Tested on kernel 5.15.71, 6.0-rc7

# mkdir test_crash
# cd test_crash 
# unzip ext4_247.zip
# mkdir mnt
# ./single_test.sh ext4 247

-Kernel dump
[  800.153426] loop7: detected capacity change from 0 to 32768
[  800.189527] EXT4-fs (loop7): barriers disabled
[  800.199319] EXT4-fs (loop7): warning: mounting fs with errors, running e2fsck is recommended
[  800.206218] EXT4-fs (loop7): mounted filesystem with journalled data mode. Quota mode: none.
[  800.207555] ext4 filesystem being mounted at /home/wq/test_crashes/mt_crashes/mt_crashes/mnt supports timestamps until 2038 (0x7fffffff)
[  800.217041] EXT4-fs error (device loop7): htree_dirblock_to_tree:1093: inode #2: block 582: comm ls: bad entry in directory: rec_len is smaller than minimal - offset=780, inode=0, rec_len=0, size=1024 fake=0
[  800.465782] ------------[ cut here ]------------
[  800.467047] kernel BUG at fs/ext4/ext4.h:2413!
[  800.468264] invalid opcode: 0000 [#3] PREEMPT SMP KASAN NOPTI
[  800.469448] CPU: 3 PID: 2346 Comm: tmp247 Tainted: G      D            6.0.0-rc7 #1
[  800.470639] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[  800.471888] RIP: 0010:make_indexed_dir+0xd6c/0x1100
[  800.473089] Code: c9 48 89 ef ba 0b 02 00 00 48 c7 c6 00 17 79 88 e8 79 de 06 00 e9 71 fe ff ff bb 06 00 00 00 41 be 06 00 00 00 e9 70 f7 ff ff <0f> 0b 48 b8 00 00 00 00 00 fc ff df 48 8b 54 24 18 48 c1 ea 03 80
[  800.475608] RSP: 0018:ffffc900012376d8 EFLAGS: 00010202
[  800.476843] RAX: ffff888193057c13 RBX: ffff88819304abe8 RCX: 0000000000000000
[  800.478083] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88819304a817
[  800.479369] RBP: ffff888107934808 R08: 00000000000003ed R09: ffff8881880c6818
[  800.480606] R10: ffff8881880c6bff R11: ffffed1031018d7f R12: ffff8881880c6800
[  800.481849] R13: ffff88819304a813 R14: 0000000000000400 R15: ffff8881880c6810
[  800.483081] FS:  00007fed8f338540(0000) GS:ffff888293780000(0000) knlGS:0000000000000000
[  800.484352] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  800.485557] CR2: 00007fed8f25d720 CR3: 0000000152ea6005 CR4: 0000000000370ee0
[  800.486770] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  800.488011] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  800.489171] Call Trace:
[  800.490302]  <TASK>
[  800.491459]  ? ext4_dx_add_entry+0x2d40/0x2d40
[  800.492569]  ? add_dirent_to_buf+0x4a0/0x8a0
[  800.493670]  ? ext4_insert_dentry+0x650/0x650
[  800.494770]  ? __ext4_read_dirblock+0x31d/0xc70
[  800.495907]  ext4_add_entry+0x840/0xa90
[  800.496974]  ? make_indexed_dir+0x1100/0x1100
[  800.498017]  ext4_add_nondir+0x90/0x220
[  800.499032]  ext4_create+0x2dc/0x420
[  800.500062]  ? ext4_symlink+0x840/0x840
[  800.501033]  ? from_kgid+0x84/0xc0
[  800.501997]  path_openat+0x255b/0x3aa0
[  800.502955]  ? do_sys_openat2+0x256/0x680
[  800.503953]  ? path_lookupat.isra.0+0x490/0x490
[  800.504899]  ? _raw_spin_unlock_irqrestore+0x23/0x40
[  800.505818]  ? __stack_depot_save+0x1eb/0x540
[  800.506713]  do_filp_open+0x1b9/0x290
[  800.507623]  ? do_sys_truncate.part.0+0x82/0x100
[  800.508465]  ? do_syscall_64+0x38/0x90
[  800.509291]  ? may_open_dev+0xd0/0xd0
[  800.510107]  ? filename_lookup+0x236/0x3d0
[  800.510918]  ? ___slab_alloc+0x4e7/0x9a0
[  800.511770]  ? _raw_spin_lock+0x87/0xda
[  800.512558]  ? _raw_spin_lock_irqsave+0xf0/0xf0
[  800.513321]  ? __check_object_size+0x171/0x620
[  800.514057]  ? _raw_spin_unlock+0x15/0x30
[  800.514766]  ? alloc_fd+0x1bc/0x4f0
[  800.515494]  do_sys_openat2+0x336/0x680
[  800.516160]  ? file_open_root+0x220/0x220
[  800.516824]  ? security_file_permission+0x50/0x580
[  800.517490]  do_sys_open+0x8a/0xe0
[  800.518140]  ? filp_open+0x60/0x60
[  800.518771]  ? exit_to_user_mode_prepare+0x3d/0x150
[  800.519478]  do_syscall_64+0x38/0x90
[  800.520078]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  800.520665] RIP: 0033:0x7fed8f25d73d
[  800.521236] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48
[  800.522454] RSP: 002b:00007ffd508c7dc8 EFLAGS: 00000286 ORIG_RAX: 0000000000000002
[  800.523080] RAX: ffffffffffffffda RBX: 00005648bdddfc30 RCX: 00007fed8f25d73d
[  800.523761] RDX: 00000000000001b6 RSI: 0000000000000042 RDI: 00007ffd508c8bb0
[  800.524397] RBP: 00007ffd508cf620 R08: 00007ffd508cf718 R09: 00007ffd508cf718
[  800.525022] R10: 00007ffd508cf718 R11: 0000000000000286 R12: 00005648bdddd0a0
[  800.525639] R13: 00007ffd508cf710 R14: 0000000000000000 R15: 0000000000000000
[  800.526245]  </TASK>
[  800.526840] Modules linked in: joydev input_leds serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper hid_generic syscopyarea usbhid sysfillrect sysimgblt fb_sys_fops hid crct10dif_pclmul drm crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd psmouse
[  800.529689] ---[ end trace 0000000000000000 ]---
[  800.530404] RIP: 0010:ext4_read_inode_bitmap+0x682/0x1240
[  800.531175] Code: 80 3c 02 00 0f 85 ac 0b 00 00 49 8b 87 b8 02 00 00 8b 54 24 08 4c 8d 3c d0 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0b 00 00 4d 8b 3f e8 6c fa 78 ff 48 b8 00 00
[  800.532730] RSP: 0018:ffffc900007ff730 EFLAGS: 00010246
[  800.533517] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11024f21407
[  800.534301] RDX: 0000000000000000 RSI: ffff88812ea2e0a8 RDI: ffff88812790a2b8
[  800.535095] RBP: 0000000000000000 R08: 0000000000000002 R09: ffffed1025d45c16
[  800.535887] R10: ffff88812ea2e0af R11: ffffed1025d45c15 R12: ffff888142dd7800
[  800.536687] R13: ffff888125c07000 R14: ffff88812ea2e0a8 R15: 0000000000000000
[  800.537507] FS:  00007fed8f338540(0000) GS:ffff888293780000(0000) knlGS:0000000000000000
[  800.538328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  800.539197] CR2: 00007fed8f25d720 CR3: 0000000152ea6005 CR4: 0000000000370ee0
[  800.540034] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  800.540881] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Note You need to log in before you can comment on or make changes to this bug.