From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 202897] New: BUG: unable to handle kernel paging request at __memmove
Date: Wed, 13 Mar 2019 06:51:02 +0000 [thread overview]
Message-ID: <bug-202897-13602@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=202897
Bug ID: 202897
Summary: BUG: unable to handle kernel paging request at
__memmove
Product: File System
Version: 2.5
Kernel Version: 5.0-rc8
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: jungyeon@gatech.edu
Regression: No
Created attachment 281787
--> https://bugzilla.kernel.org/attachment.cgi?id=281787&action=edit
The (compressed) crafted image which causes crash
- Overview
After mounting crafted image, I got this page fault while running attached
program.
- Produces
mkdir test
mount -t ext4 tmp.img test
gcc min_01.c
cp a.out test
cd test
./a.out
- Kernel messages
[ 74.327744] BUG: unable to handle kernel paging request at ffff95f12b296000
[ 74.329597] #PF error: [PROT] [WRITE]
[ 74.330547] PGD 23601067 P4D 23601067 PUD 2366b2063 PMD 23541d063 PTE
800000022b296061
[ 74.332538] Oops: 0003 [#1] SMP PTI
[ 74.333429] CPU: 0 PID: 1158 Comm: a.out Not tainted 5.0.0-rc8+ #9
[ 74.335059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 74.337313] RIP: 0010:__memmove+0x81/0x1a0
[ 74.338359] Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9
a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5
4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
[ 74.343035] RSP: 0018:ffffb09a011ef938 EFLAGS: 00010207
[ 74.344361] RAX: ffff95f12666a000 RBX: ffffb09a011efb40 RCX:
1fffffffff67a7fc
[ 74.346163] RDX: ffffffffffffffe4 RSI: ffff95f12b296000 RDI:
ffff95f12b296000
[ 74.347980] RBP: ffffb09a011efa38 R08: 0000000000000001 R09:
ffff95f1324acf00
[ 74.349763] R10: ffff95f126669fdc R11: 0000000000000000 R12:
ffffb09a011efab8
[ 74.351560] R13: ffff95f12666a000 R14: 00000000000003e4 R15:
0000000000000000
[ 74.353343] FS: 00007fa3b7981700(0000) GS:ffff95f137a00000(0000)
knlGS:0000000000000000
[ 74.355374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 74.356815] CR2: ffff95f12b296000 CR3: 000000022b2bc006 CR4:
00000000000206f0
[ 74.358622] Call Trace:
[ 74.359263] ? ext4_xattr_set_entry+0xa55/0x1090
[ 74.360447] ? jbd2_journal_cancel_revoke+0xbf/0xf0
[ 74.361696] ? kmem_cache_alloc+0xb0/0x170
[ 74.362761] ? jbd2_journal_get_write_access+0x5b/0x70
[ 74.364062] ext4_xattr_block_set+0x37a/0xf80
[ 74.365173] ? __getblk_gfp+0x2f/0x300
[ 74.366129] ? xattr_find_entry+0x8c/0x110
[ 74.367183] ext4_xattr_set_handle+0x544/0x5f0
[ 74.368315] __ext4_set_acl+0x1aa/0x290
[ 74.369293] ext4_set_acl+0xbf/0x1f0
[ 74.370210] ? posix_acl_from_xattr+0x180/0x180
[ 74.371373] set_posix_acl+0x79/0xb0
[ 74.372282] posix_acl_xattr_set+0x84/0x90
[ 74.373321] __vfs_removexattr+0x52/0x70
[ 74.374310] vfs_removexattr+0x84/0x100
[ 74.375293] removexattr+0x55/0x80
[ 74.376157] ? __check_object_size+0x17c/0x1b0
[ 74.377272] ? strncpy_from_user+0x50/0x1b0
[ 74.378323] ? _cond_resched+0x1a/0x50
[ 74.379292] ? __sb_start_write+0x3f/0x70
[ 74.380310] ? mnt_want_write+0x2c/0x50
[ 74.381284] path_removexattr+0x9a/0xb0
[ 74.382252] __x64_sys_removexattr+0x1b/0x20
[ 74.383357] do_syscall_64+0x5a/0x110
[ 74.384293] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 74.385568] RIP: 0033:0x7fa3b749c4d9
[ 74.386491] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[ 74.391133] RSP: 002b:00007ffffd7aeb08 EFLAGS: 00000202 ORIG_RAX:
00000000000000c5
[ 74.393021] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fa3b749c4d9
[ 74.394822] RDX: 0000000000000000 RSI: 00007ffffd7aeb30 RDI:
00007ffffd7aeb20
[ 74.396608] RBP: 00007ffffd7aeb50 R08: 00007fa3b7775ab0 R09:
00007ffffd7aec38
[ 74.398392] R10: 00000000004006a0 R11: 0000000000000202 R12:
00000000004004a0
[ 74.400175] R13: 00007ffffd7aec30 R14: 0000000000000000 R15:
0000000000000000
[ 74.401951] Modules linked in:
[ 74.402744] CR2: ffff95f12b296000
[ 74.403596] ---[ end trace e7fe34a5ca4f4421 ]---
[ 74.404771] RIP: 0010:__memmove+0x81/0x1a0
[ 74.405815] Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9
a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5
4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
[ 74.410512] RSP: 0018:ffffb09a011ef938 EFLAGS: 00010207
[ 74.411833] RAX: ffff95f12666a000 RBX: ffffb09a011efb40 RCX:
1fffffffff67a7fc
[ 74.413618] RDX: ffffffffffffffe4 RSI: ffff95f12b296000 RDI:
ffff95f12b296000
[ 74.415419] RBP: ffffb09a011efa38 R08: 0000000000000001 R09:
ffff95f1324acf00
[ 74.417211] R10: ffff95f126669fdc R11: 0000000000000000 R12:
ffffb09a011efab8
[ 74.419022] R13: ffff95f12666a000 R14: 00000000000003e4 R15:
0000000000000000
[ 74.420821] FS: 00007fa3b7981700(0000) GS:ffff95f137a00000(0000)
knlGS:0000000000000000
[ 74.422857] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 74.424306] CR2: ffff95f12b296000 CR3: 000000022b2bc006 CR4:
00000000000206f0
- Primitive reason
When calling memmove at 1704, it give extreme value as count (3rd parameter).
This is because val is smaller than first_val in this case, so that the count
becomes negative number. (-28 became -xfff....ffe4 because of two's compliment)
As a result, memmove show errors while copying with huge count number.
1696 /* No failures allowed past this point. */
1697
1698 if (!s->not_found && here->e_value_size && here->e_value_offs) {
1699 /* Remove the old value. */
1700 void *first_val = s->base + min_offs;
1701 size_t offs = le16_to_cpu(here->e_value_offs);
1702 void *val = s->base + offs;
1703
1704 memmove(first_val + old_size, first_val, val - first_val);
1705 memset(first_val, 0, old_size);
1706 min_offs += old_size;
1707
1708 /* Adjust all value offsets. */
1709 last = s->first;
1710 while (!IS_LAST_ENTRY(last)) {
1711 size_t o = le16_to_cpu(last->e_value_offs);
1712
1713 if (!last->e_value_inum &&
1714 last->e_value_size && o < offs)
1715 last->e_value_offs = cpu_to_le16(o + old_size);
1716 last = EXT4_XATTR_NEXT(last);
1717 }
1718 }
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2019-03-13 6:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 6:51 bugzilla-daemon [this message]
2019-03-13 6:51 ` [Bug 202897] BUG: unable to handle kernel paging request at __memmove bugzilla-daemon
2019-03-15 14:15 ` bugzilla-daemon
2019-03-15 16:00 ` bugzilla-daemon
2019-03-20 0:23 ` bugzilla-daemon
2019-03-21 0:40 ` bugzilla-daemon
2019-03-24 5:28 ` bugzilla-daemon
2019-04-05 20:16 ` bugzilla-daemon
2019-04-05 21:37 ` bugzilla-daemon
2019-04-05 22:42 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-202897-13602@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.