linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and operated
@ 2021-12-04 19:17 Wenqing Liu
  2021-12-05 20:44 ` Theodore Y. Ts'o
  0 siblings, 1 reply; 3+ messages in thread
From: Wenqing Liu @ 2021-12-04 19:17 UTC (permalink / raw)
  To: linux-ext4, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 5210 bytes --]

- Overview
Page fault in fs/ext4/namei.c: do_split when crafted image is mounted 
and operated

- Reproduce
tested on kernel 5.16-rc3, 5.15.X, 5.4.X under root

# mkdir mnt
# mount -t ext4 tmp173.img mnt
# gcc -o tmp173 tmp173.c
# cp tmp173 mnt
# cd mnt
# ./tmp173


- Reason
Seems to be an integer underflow in fs/ext4/namei.c(line 1973):do_split, 
when split=0, dereferenced map[split-1]

- Kernel dump
[   68.084727] loop0: detected capacity change from 0 to 32768
[   68.115775] EXT4-fs (loop0): mounted filesystem with ordered data 
mode. Opts: (null). Quota mode: none.
[   68.115793] ext4 filesystem being mounted at 
/home/wq/test_crashes/crash_tests/mnt supports timestamps until 2038 
(0x7fffffff)
[   80.025429] BUG: unable to handle page fault for address: 
ffff88891e93dbf0
[   80.025461] #PF: supervisor read access in kernel mode
[   80.025472] #PF: error_code(0x0000) - not-present page
[   80.025483] PGD 3401067 P4D 3401067 PUD 0
[   80.025493] Oops: 0000 [#1] PREEMPT SMP NOPTI
[   80.025505] CPU: 1 PID: 920 Comm: tmp173 Not tainted 5.16.0-rc3 #2
[   80.025518] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 
1.13.0-1ubuntu1.1 04/01/2014
[   80.025534] RIP: 0010:do_split+0x3be/0x8b0
[   80.025564] Code: c8 44 39 d0 0f 87 d0 03 00 00 41 83 e8 01 01 d1 41 
83 c1 01 41 83 f8 ff 75 d6 44 89 f8 d1 e8 89 c2 8d 48 ff 48 8d 14 d6 8b 
3a <39> 3c ce 89 7c 24 38 40 0f 94 c7 81 7c 24 18 00 00 04 00 40 0f b6
[   80.025598] RSP: 0018:ffffc90000c6fbf8 EFLAGS: 00010247
[   80.025609] RAX: 0000000000000000 RBX: ffff888105995730 RCX: 
00000000ffffffff
[   80.025623] RDX: ffff88811e93dbf8 RSI: ffff88811e93dbf8 RDI: 
0000000040ab9e92
[   80.025637] RBP: ffff888105c3f000 R08: 00000000ffffffff R09: 
0000000000000001
[   80.025650] R10: 0000000000000200 R11: 00000000a0b6181c R12: 
ffffc90000c6fcf8
[   80.025664] R13: ffff88811e93dc00 R14: ffff88811e93dbf8 R15: 
0000000000000001
[   80.025678] FS:  00007fb08a0f64c0(0000) GS:ffff8882f5c80000(0000) 
knlGS:0000000000000000
[   80.025696] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   80.025707] CR2: ffff88891e93dbf0 CR3: 000000010a7f4006 CR4: 
0000000000370ee0
[   80.025723] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[   80.025736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400
[   80.025750] Call Trace:
[   80.025763]  make_indexed_dir+0x487/0x5d0
[   80.025775]  ext4_add_entry+0x376/0x410
[   80.025788]  ext4_add_nondir+0x2b/0xc0
[   80.025798]  ext4_symlink+0x2aa/0x450
[   80.025807]  vfs_symlink+0x105/0x1a0
[   80.025821]  do_symlinkat+0xde/0xf0
[   80.025830]  __x64_sys_symlink+0x37/0x40
[   80.025839]  do_syscall_64+0x37/0xb0
[   80.025857]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   80.025870] RIP: 0033:0x7fb089c00639
[   80.025878] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f8 2c 00 f7 d8 64 89 01 48
[   80.025912] RSP: 002b:00007fffcbbbe558 EFLAGS: 00000286 ORIG_RAX: 
0000000000000058
[   80.025928] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 
00007fb089c00639
[   80.025941] RDX: ffffffffffffff80 RSI: 00007fffcbbbe700 RDI: 
00007fffcbbbe5e4
[   80.025955] RBP: 00007fffcbbc0910 R08: 00007fffcbbc09f8 R09: 
00007fffcbbc09f8
[   80.025968] R10: 00007fffcbbc09f8 R11: 0000000000000286 R12: 
000055f1994005f0
[   80.025982] R13: 00007fffcbbc09f0 R14: 0000000000000000 R15: 
0000000000000000
[   80.026001] Modules linked in: joydev input_leds serio_raw 
qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 
btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov 
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 
multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea 
sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul 
ghash_clmulni_intel hid_generic psmouse usbhid aesni_intel crypto_simd 
cryptd hid
[   80.026946] CR2: ffff88891e93dbf0
[   80.027378] ---[ end trace f76e3850025c0375 ]---
[   80.027803] RIP: 0010:do_split+0x3be/0x8b0
[   80.028243] Code: c8 44 39 d0 0f 87 d0 03 00 00 41 83 e8 01 01 d1 41 
83 c1 01 41 83 f8 ff 75 d6 44 89 f8 d1 e8 89 c2 8d 48 ff 48 8d 14 d6 8b 
3a <39> 3c ce 89 7c 24 38 40 0f 94 c7 81 7c 24 18 00 00 04 00 40 0f b6
[   80.029143] RSP: 0018:ffffc90000c6fbf8 EFLAGS: 00010247
[   80.029602] RAX: 0000000000000000 RBX: ffff888105995730 RCX: 
00000000ffffffff
[   80.030064] RDX: ffff88811e93dbf8 RSI: ffff88811e93dbf8 RDI: 
0000000040ab9e92
[   80.030521] RBP: ffff888105c3f000 R08: 00000000ffffffff R09: 
0000000000000001
[   80.030992] R10: 0000000000000200 R11: 00000000a0b6181c R12: 
ffffc90000c6fcf8
[   80.031430] R13: ffff88811e93dc00 R14: ffff88811e93dbf8 R15: 
0000000000000001
[   80.031861] FS:  00007fb08a0f64c0(0000) GS:ffff8882f5c80000(0000) 
knlGS:0000000000000000[   80.032293] CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
[   80.032724] CR2: ffff88891e93dbf0 CR3: 000000010a7f4006 CR4: 
0000000000370ee0
[   80.033167] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[   80.033604] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400

Wenqing Liu

[-- Attachment #2: tmp173.zip --]
[-- Type: application/zip, Size: 55873 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and operated
  2021-12-04 19:17 Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and operated Wenqing Liu
@ 2021-12-05 20:44 ` Theodore Y. Ts'o
  0 siblings, 0 replies; 3+ messages in thread
From: Theodore Y. Ts'o @ 2021-12-05 20:44 UTC (permalink / raw)
  To: Wenqing Liu; +Cc: linux-ext4, linux-kernel

On Sat, Dec 04, 2021 at 02:17:52PM -0500, Wenqing Liu wrote:
> - Overview
> Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and
> operated

This looks like another dup of these reports:

Message-ID: <CA+AJg7OHrVgbHuRi5Sqyt5v1PzN-OhG8NjKaanLY-_+OZPvkDA@mail.gmail.com>
Message-ID: <CA+AJg7NwCgxw65JbyWLbbq4aP-vbBzFMEn-=k6DrdTpWMBQbxQ@mail.gmail.com>

							- Ted

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and operated
       [not found] <CA+AJg7NwCgxw65JbyWLbbq4aP-vbBzFMEn-=k6DrdTpWMBQbxQ@mail.gmail.com>
@ 2021-12-05 20:42 ` Theodore Y. Ts'o
  0 siblings, 0 replies; 3+ messages in thread
From: Theodore Y. Ts'o @ 2021-12-05 20:42 UTC (permalink / raw)
  To: Liu Wenqing; +Cc: Andreas Dilger, linux-ext4, linux-kernel

On Sat, Dec 04, 2021 at 01:08:07PM -0500, Liu Wenqing wrote:
> 
> I have found a bug with our fuzzer, attached is the image, poc file and the
> .config file and the details are as follows.

Thanks for the report!  I've opened:

   https://bugzilla.kernel.org/show_bug.cgi?id=215227

to track this issue.

						- Ted

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-05 20:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-04 19:17 Page fault in fs/ext4/namei.c: do_split when crafted image is mounted and operated Wenqing Liu
2021-12-05 20:44 ` Theodore Y. Ts'o
     [not found] <CA+AJg7NwCgxw65JbyWLbbq4aP-vbBzFMEn-=k6DrdTpWMBQbxQ@mail.gmail.com>
2021-12-05 20:42 ` Theodore Y. Ts'o

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).