Created attachment 174961 [details] btrfs-image causing write/read access to unallocated memory Running btrfs-progs v3.19.1 The btrfs-image attached to this bug causes the btrfs-userland tool to overflow some data structures, leading to unallocated memory being written to and read from. A segfault results shortly after. Reproduced on x86-64 and i686. The kernel seems to be less affected and fails to mount the image. I didn't investigate whether the reads/writes could be used to gain control over $EIP. Since the first invalid write of 8 bytes seems to run into adjacent heap blocks (crash in unlink()), it may be possible though. gdb output: Program received signal SIGSEGV, Segmentation fault. malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151 4151 unlink(av, p, bck, fwd); (gdb) bt #0 malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151 #1 0x0000003262680628 in _int_malloc (av=av@entry=0x32629b7cc0 <main_arena>, bytes=bytes@entry=4224) at malloc.c:3420 #2 0x000000326268315e in __GI___libc_malloc (bytes=4224) at malloc.c:2896 #3 0x0000000000449d15 in __alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:541 #4 0x000000000044a8b4 in alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:648 #5 0x000000000043b1a0 in btrfs_find_create_tree_block (root=root@entry=0x895840, bytenr=<optimized out>, blocksize=<optimized out>) at disk-io.c:159 #6 0x000000000043ca4e in read_tree_block (root=root@entry=0x895840, bytenr=<optimized out>, blocksize=<optimized out>, parent_transid=13) at disk-io.c:287 #7 0x000000000043ccb7 in find_and_setup_root (tree_root=0x88c250, fs_info=<optimized out>, objectid=5, root=0x895840) at disk-io.c:557 #8 0x000000000043ce92 in btrfs_read_fs_root_no_cache (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960) at disk-io.c:640 #9 0x000000000043d060 in btrfs_read_fs_root (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960) at disk-io.c:739 #10 0x000000000043d48c in btrfs_setup_all_roots (fs_info=fs_info@entry=0x88c010, root_tree_bytenr=<optimized out>, root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:988 #11 0x000000000043d802 in __open_ctree_fd (fp=fp@entry=3, path=path@entry=0x7fffffffe20d "ramdisk/btrfs_fukked.bin", sb_bytenr=65536, sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1199 #12 0x000000000043d965 in open_ctree_fs_info (filename=0x7fffffffe20d "ramdisk/btrfs_fukked.bin", sb_bytenr=sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1231 #13 0x0000000000427bf5 in cmd_check (argc=1, argv=0x7fffffffdea0) at cmds-check.c:9326 #14 0x000000000040e5a2 in main (argc=2, argv=0x7fffffffdea0) at btrfs.c:245 valgrind output: ==32463== Memcheck, a memory error detector ==32463== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==32463== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==32463== Command: btrfs check ramdisk/btrfs_fukked.bin ==32463== ==32463== Invalid write of size 8 ==32463== at 0x4386FB: btrfs_search_slot (ctree.c:1119) ==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) ==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== Address 0x4c409f0 is 16 bytes after a block of size 144 alloc'd ==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== ==32463== Invalid read of size 8 ==32463== at 0x436E70: check_block.part.14 (ctree.c:548) ==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) ==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) ==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) ==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== Address 0x4c409f8 is 24 bytes after a block of size 144 in arena "client" ==32463== ==32463== Invalid read of size 4 ==32463== at 0x436E84: UnknownInlinedFun (ctree.h:1605) ==32463== by 0x436E84: UnknownInlinedFun (ctree.h:1612) ==32463== by 0x436E84: check_block.part.14 (ctree.c:550) ==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) ==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) ==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) ==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== Address 0x4c409e4 is 4 bytes after a block of size 144 alloc'd ==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== ==32463== Invalid read of size 1 ==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613) ==32463== by 0x436E99: check_block.part.14 (ctree.c:550) ==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) ==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) ==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) ==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245) ==32463== Address 0x1b1 is not stack'd, malloc'd or (recently) free'd ==32463== ==32463== ==32463== Process terminating with default action of signal 11 (SIGSEGV) ==32463== Access not within mapped region at address 0x1B1 ==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613) ==32463== by 0x436E99: check_block.part.14 (ctree.c:550) ==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) ==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) ==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) ==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) ==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) ==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) ==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) ==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) ==32463== by 0x40E5A1: main (btrfs.c:245)
Fix applied to btrfs-progs git. Thanks.
As of c061b303c08af7a58373908d0d77ef0f1161fd36 the problem is still there.
That's current master and version 4.0.1. The fix hasn't been released, but is available in the devel branch and will be part of the next release.