mirror of
https://github.com/kdave/btrfs-progs
synced 2024-12-25 23:52:17 +00:00
a365b84a32
A collection of several images that were produced in a non-standard way and cause various errors in check or image tools. They do not fit into the fsck tests as we're not able to repair any of them, but the tools should not crash or do out-of-bounds access. Signed-off-by: David Sterba <dsterba@suse.com>
138 lines
7.9 KiB
Plaintext
138 lines
7.9 KiB
Plaintext
URL: https://bugzilla.kernel.org/show_bug.cgi?id=97191
|
|
Lukas Lueg 2015-04-23 22:20:35 UTC
|
|
|
|
Running btrfs-progs v3.19.1
|
|
|
|
The btrfs-image attached to this bug causes the btrfs-userland tool to
|
|
overflow some data structures, leading to unallocated memory being written to
|
|
and read from. A segfault results shortly after. Reproduced on x86-64 and
|
|
i686.
|
|
|
|
The kernel seems to be less affected and fails to mount the image. I didn't
|
|
investigate whether the reads/writes could be used to gain control over $EIP.
|
|
Since the first invalid write of 8 bytes seems to run into adjacent heap
|
|
blocks (crash in unlink()), it may be possible though.
|
|
|
|
gdb output:
|
|
|
|
Program received signal SIGSEGV, Segmentation fault.
|
|
malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151
|
|
4151 unlink(av, p, bck, fwd);
|
|
(gdb) bt
|
|
#0 malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151
|
|
#1 0x0000003262680628 in _int_malloc (av=av@entry=0x32629b7cc0 <main_arena>, bytes=bytes@entry=4224) at malloc.c:3420
|
|
#2 0x000000326268315e in __GI___libc_malloc (bytes=4224) at malloc.c:2896
|
|
#3 0x0000000000449d15 in __alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:541
|
|
#4 0x000000000044a8b4 in alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:648
|
|
#5 0x000000000043b1a0 in btrfs_find_create_tree_block (root=root@entry=0x895840, bytenr=<optimized out>,
|
|
blocksize=<optimized out>) at disk-io.c:159
|
|
#6 0x000000000043ca4e in read_tree_block (root=root@entry=0x895840, bytenr=<optimized out>, blocksize=<optimized out>,
|
|
parent_transid=13) at disk-io.c:287
|
|
#7 0x000000000043ccb7 in find_and_setup_root (tree_root=0x88c250, fs_info=<optimized out>, objectid=5, root=0x895840)
|
|
at disk-io.c:557
|
|
#8 0x000000000043ce92 in btrfs_read_fs_root_no_cache (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960)
|
|
at disk-io.c:640
|
|
#9 0x000000000043d060 in btrfs_read_fs_root (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960)
|
|
at disk-io.c:739
|
|
#10 0x000000000043d48c in btrfs_setup_all_roots (fs_info=fs_info@entry=0x88c010, root_tree_bytenr=<optimized out>,
|
|
root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:988
|
|
#11 0x000000000043d802 in __open_ctree_fd (fp=fp@entry=3, path=path@entry=0x7fffffffe20d "ramdisk/btrfs_fukked.bin",
|
|
sb_bytenr=65536, sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE)
|
|
at disk-io.c:1199
|
|
#12 0x000000000043d965 in open_ctree_fs_info (filename=0x7fffffffe20d "ramdisk/btrfs_fukked.bin", sb_bytenr=sb_bytenr@entry=0,
|
|
root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1231
|
|
#13 0x0000000000427bf5 in cmd_check (argc=1, argv=0x7fffffffdea0) at cmds-check.c:9326
|
|
#14 0x000000000040e5a2 in main (argc=2, argv=0x7fffffffdea0) at btrfs.c:245
|
|
|
|
|
|
valgrind output:
|
|
|
|
==32463== Memcheck, a memory error detector
|
|
==32463== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
|
|
==32463== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
|
|
==32463== Command: btrfs check ramdisk/btrfs_fukked.bin
|
|
==32463==
|
|
==32463== Invalid write of size 8
|
|
==32463== at 0x4386FB: btrfs_search_slot (ctree.c:1119)
|
|
==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117)
|
|
==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463== Address 0x4c409f0 is 16 bytes after a block of size 144 alloc'd
|
|
==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463==
|
|
==32463== Invalid read of size 8
|
|
==32463== at 0x436E70: check_block.part.14 (ctree.c:548)
|
|
==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91)
|
|
==32463== by 0x438954: btrfs_search_slot (ctree.c:1120)
|
|
==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117)
|
|
==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463== Address 0x4c409f8 is 24 bytes after a block of size 144 in arena "client"
|
|
==32463==
|
|
==32463== Invalid read of size 4
|
|
==32463== at 0x436E84: UnknownInlinedFun (ctree.h:1605)
|
|
==32463== by 0x436E84: UnknownInlinedFun (ctree.h:1612)
|
|
==32463== by 0x436E84: check_block.part.14 (ctree.c:550)
|
|
==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91)
|
|
==32463== by 0x438954: btrfs_search_slot (ctree.c:1120)
|
|
==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117)
|
|
==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463== Address 0x4c409e4 is 4 bytes after a block of size 144 alloc'd
|
|
==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463==
|
|
==32463== Invalid read of size 1
|
|
==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613)
|
|
==32463== by 0x436E99: check_block.part.14 (ctree.c:550)
|
|
==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91)
|
|
==32463== by 0x438954: btrfs_search_slot (ctree.c:1120)
|
|
==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117)
|
|
==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|
|
==32463== Address 0x1b1 is not stack'd, malloc'd or (recently) free'd
|
|
==32463==
|
|
==32463==
|
|
==32463== Process terminating with default action of signal 11 (SIGSEGV)
|
|
==32463== Access not within mapped region at address 0x1B1
|
|
==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
|
|
==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613)
|
|
==32463== by 0x436E99: check_block.part.14 (ctree.c:550)
|
|
==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91)
|
|
==32463== by 0x438954: btrfs_search_slot (ctree.c:1120)
|
|
==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117)
|
|
==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167)
|
|
==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983)
|
|
==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199)
|
|
==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231)
|
|
==32463== by 0x427BF4: cmd_check (cmds-check.c:9326)
|
|
==32463== by 0x40E5A1: main (btrfs.c:245)
|