btrfs-progs/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt
David Sterba 5ee216a86f btrfs-progs: tests: add more fuzzed images from bugzilla
Fixing the problems by one does not scale now. Add more images despite
the fuzz tests will fail. They have been for some time already.

Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2016-11-23 10:49:37 +01:00

135 lines
8.1 KiB
Plaintext

URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301
Lukas Lueg 2016-09-18 09:07:55 UTC
More news from the fuzzer. The attached image causes a heap-use-after-free
when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013
==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8
READ of size 4 at 0x621000014170 thread T0
#0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10
#1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3
#2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2
#3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9
#4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2
#5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
#7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
Probably somewhat related to this: The image crash000255.img causes btrfsck to
try to allocate around 3.5gb of memory in one chunk, sending ASAN into a death
spiral. On systems with sufficient memory, the heap-use-after-free turns up.
parent transid verify failed on 0 wanted 3472328296227680304 found 0
parent transid verify failed on 0 wanted 3472328296227680304 found 0
Ignoring transid failure
Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
ref mismatch on [0 4096] extent item 0, found 1
Backref 0 parent 0 root 0 not found in extent tree
backpointer mismatch on [0 4096]
bad extent [0, 4096), type mismatch with chunk
ref mismatch on [131072 4096] extent item 0, found 1
Backref 131072 parent 3 root 3 not found in extent tree
backpointer mismatch on [131072 4096]
ref mismatch on [4198400 4096] extent item 0, found 1
Backref 4198400 parent 1 root 1 not found in extent tree
backpointer mismatch on [4198400 4096]
ref mismatch on [4231168 4096] extent item 0, found 1
Backref 4231168 parent 7 root 7 not found in extent tree
backpointer mismatch on [4231168 4096]
ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60700000ddf0
backpointer mismatch on [3472328296227680304 3472328296227680304]
Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
checking free space cache
checking fs roots
root 5 root dir 3472328296227680304 not found
checking csums
checking root refs
checking quota groups
ERROR: while mapping refs: -5
=================================================================
==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8
READ of size 4 at 0x621000014170 thread T0
#0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10
#1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3
#2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2
#3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9
#4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2
#5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
#7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
0x621000014170 is located 112 bytes inside of 4224-byte region [0x621000014100,0x621000015180)
freed by thread T0 here:
#0 0x4bf990 in __interceptor_cfree.localalias.1 (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bf990)
#1 0x5c0582 in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:591:3
#2 0x5c1b18 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:644:4
#3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9
#4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7
#5 0x5f2d74 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
#6 0x5f2b52 in travel_tree /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7
#7 0x5f299b in add_refs_for_implied /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
#8 0x5efd39 in map_implied_refs /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
#9 0x5eed89 in qgroup_verify_all /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
#10 0x51ea14 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9
#11 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#12 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
previously allocated by thread T0 here:
#0 0x4bfca0 in calloc (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0)
#1 0x5c16ca in __alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:542:7
#2 0x5c1b26 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:646:8
#3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9
#4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7
#5 0x5918a2 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
#6 0x591712 in find_and_setup_root /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:647:15
#7 0x593243 in setup_root_or_create_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:966:8
#8 0x592a06 in btrfs_setup_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1045:8
#9 0x5948fe in __open_ctree_fd /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1341:8
#10 0x5942b5 in open_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1387:9
#11 0x51dff2 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9
#12 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#13 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
SUMMARY: AddressSanitizer: heap-use-after-free /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 in free_extent_buffer
Shadow bytes around the buggy address:
0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3439==ABORTING