Re: Open bugs found by fuzzing as of 2016-07-30

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vegard Nossum <vegard.nossum@oracle.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Ext4 Developers List <linux-ext4@vger.kernel.org>
Subject: Re: Open bugs found by fuzzing as of 2016-07-30
Date: Mon, 1 Aug 2016 09:33:37 +0200	[thread overview]
Message-ID: <579EFB51.6090602@oracle.com> (raw)
In-Reply-To: <20160801045521.GF12853@thunk.org>

On 08/01/2016 06:55 AM, Theodore Ts'o wrote:
> On Sat, Jul 30, 2016 at 03:04:43PM +0200, Vegard Nossum wrote:
>> Hi,
>>
>> It's been two weeks since I posted the first list of bugs found using
>> AFL: https://www.spinics.net/lists/linux-ext4/msg53022.html
>>
>> With a bunch of ext4 patches going into 4.8 we're down from 15 to 6
>> with current linus/master...
>
> Does this patch bring things down further?  I expect it should at the
> very list address
>
>> 6. WARNING: CPU: 0 PID: 58 at fs/ext4/ext4.h:2748
>> ext4_block_bitmap_csum_set+0x358/0x600
>> http://139.162.151.198/f/ext4/9628c19aff0bbaaae4149a03486305c7f6cd7523
>
> ... and possibly others.

I applied the patch, but I didn't see any of the bugs go away,
unfortunately.

IIRC there were still bugs in ext4_init_block_bitmap() where the
ext4_set_bit() calls for the block bitmap + inode bitmap + inode table
were writing beyond the end of bh->b_data. I think tmp < start or
something and then the ext4_set_bit() calls actually end up writing
into the superblock itself, causing either ext4_inode_table() or
sbi->s_itb_per_group to start returning bogus values and further corrupt
things. I'll have another look, maybe add some printks.

> If there are any remaining of these bugs where the superblock is
> sufficiently corrupt that dumpe2fs refuses to print anything, could
> you print a hex dump of the superblock (located at offset 1024) so we
> could see what is going on?

I've added the hex dumps and updated the pages.

Vegard

     prev parent reply	other threads:[~2016-08-01  7:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-30 13:04 Open bugs found by fuzzing as of 2016-07-30 Vegard Nossum
2016-07-30 18:39 ` nborisov
2016-07-30 19:25   ` Vegard Nossum
2016-07-31  4:37     ` Theodore Ts'o
2016-08-03  5:43       ` Greg KH
2016-08-04  2:58         ` Theodore Ts'o
2016-08-01  4:55 ` Theodore Ts'o
2016-08-01  7:33   ` Vegard Nossum [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=579EFB51.6090602@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=linux-ext4@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.