Bug 97031 - Carefully crafted BTRFS-image causes userland tools to crash
Summary: Carefully crafted BTRFS-image causes userland tools to crash
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Josef Bacik
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-21 21:47 UTC by Lukas Lueg
Modified: 2016-09-03 18:50 UTC (History)
2 users (show)

See Also:
Kernel Version: 3.19.3-200.fc21.x86_64
Tree: Mainline
Regression: No

Attachments
BTRFS-Image causing userland tools to crash (24.73 KB, application/gzip)
2015-04-21 21:47 UTC, Lukas Lueg 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Lueg 2015-04-21 21:47:18 UTC 
Created attachment 174731 [details]
BTRFS-Image causing userland tools to crash

The btrfs-image attached to this bug causes the userland tools v3.19.1 to crash with a SIGFPE. The problem is that map->stripe_len in __btrfs_map_block() is allowed to be 0 before entering a division.

The userland tool crashes.
The kernel fails to mount with
> BTRFS: failed to read the system array on loop0
> BTRFS: open_ctree_failed



(gdb) run check btrfs_fukked_sigfpe_volumes:1372.bin
....
warning, device 0 is missing
warning, device 4294967295 is missing
warning, device 0 is missing
warning, device 0 is missing
warning, device 0 is missing
warning, device 0 is missing
warning, device 4294967295 is missing

Program received signal SIGFPE, Arithmetic exception.
0x000000000044d56f in __btrfs_map_block (map_tree=map_tree@entry=0x88c170, 
    rw=rw@entry=0, logical=<optimized out>, length=length@entry=0x7fffffffd8f0, 
    type=type@entry=0x0, multi_ret=multi_ret@entry=0x7fffffffd8e8, mirror_num=0, 
    raid_map_ret=0x0) at volumes.c:1372
1372		stripe_nr = stripe_nr / map->stripe_len;
(gdb) bt
#0  0x000000000044d56f in __btrfs_map_block (map_tree=map_tree@entry=0x88c170, 
    rw=rw@entry=0, logical=<optimized out>, length=length@entry=0x7fffffffd8f0, 
    type=type@entry=0x0, multi_ret=multi_ret@entry=0x7fffffffd8e8, mirror_num=0, 
    raid_map_ret=0x0) at volumes.c:1372
#1  0x000000000044db45 in btrfs_map_block (map_tree=map_tree@entry=0x88c170, 
    rw=rw@entry=0, logical=<optimized out>, length=length@entry=0x7fffffffd8f0, 
    multi_ret=multi_ret@entry=0x7fffffffd8e8, mirror_num=mirror_num@entry=0, 
    raid_map_ret=0x0) at volumes.c:1291
#2  0x000000000043b22d in read_whole_eb (info=0x88c010, eb=eb@entry=0x88f400, 
    mirror=mirror@entry=0) at disk-io.c:232
#3  0x000000000043caa2 in read_tree_block (root=root@entry=0x88c710, 
    bytenr=<optimized out>, blocksize=<optimized out>, parent_transid=5)
    at disk-io.c:295
#4  0x000000000043d5df in btrfs_setup_chunk_tree_and_device_map (
    fs_info=fs_info@entry=0x88c010) at disk-io.c:1106
#5  0x000000000043d7d1 in __open_ctree_fd (fp=fp@entry=3, 
    path=path@entry=0x7fffffffe1fa "btrfs_fukked_sigfpe_volumes:1372.bin", 
    sb_bytenr=65536, sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, 
    flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1190
#6  0x000000000043d965 in open_ctree_fs_info (
    filename=0x7fffffffe1fa "btrfs_fukked_sigfpe_volumes:1372.bin", 
    sb_bytenr=sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, 
    flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1231
#7  0x0000000000427bf5 in cmd_check (argc=1, argv=0x7fffffffde90) at cmds-check.c:9326
#8  0x000000000040e5a2 in main (argc=2, argv=0x7fffffffde90) at btrfs.c:245
(gdb) p map->stripe_len
$1 = 0
Comment 1 David Sterba 2016-09-03 18:50:38 UTC 
Does not crash with 4.7.1:

$ btrfs check image
ERROR: sys_array too short to read 159504 bytes at offset 17
Couldn't open file system

Image added to the testsuite. Thanks, closing.
Note You need to log in before you can comment on or make changes to this bug.