EXT3 fuzzing

EXT3 fuzzing

[Eric Sesterhenn / Snakebyte]

hi,

after fsfuzz
(http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
released i decided to give it a spin. So far I got two problematic
images:

http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
	which makes the kernel use as much cpu as it can get

http://www.cobra-basket.de/ext3_memhog.img.bz2
	eats all memory it can get

I enabled jbd debugging for a while, and the traces looked
similar, but made not much sense to me. kmemleak
locked my box, so I was not able to get some debugging
info from there.
To test the images, just mount them, and do an ls
on the image.

Greetings, Eric

-- 
 www.cobra-basket.de -- just my stuff

Re: EXT3 fuzzing

[Eric Sandeen]

Eric Sesterhenn / Snakebyte wrote:
> hi,
> 
> after fsfuzz
> (http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
> released i decided to give it a spin. So far I got two problematic
> images:
> 
> http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
> 	which makes the kernel use as much cpu as it can get
> 
> http://www.cobra-basket.de/ext3_memhog.img.bz2
> 	eats all memory it can get
> 
> I enabled jbd debugging for a while, and the traces looked
> similar, but made not much sense to me. kmemleak
> locked my box, so I was not able to get some debugging
> info from there.
> To test the images, just mount them, and do an ls
> on the image.

Hi Eric, I recently posted a patch to LKML ([PATCH] handle ext3 directory 
corruption better) to handle the broken fuzz cases I found.  You might try again 
w/ that patch... I can also give your images a whirl.  With the patch I 
submitted, I had thousands of successful fsfuzz runs.  The only snag I hit was 
actually an fsfuzz bug; lost+found/ had been fuzzed so it looked like a pipe, 
and the "cat" part of the test hung up - not really an ext3 bug.

Thanks,

-Eric

Re: EXT3 fuzzing

[Eric Sandeen]

Eric Sandeen wrote:
> Eric Sesterhenn / Snakebyte wrote:
>> hi,
>>
>> after fsfuzz
>> (http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
>> released i decided to give it a spin. So far I got two problematic
>> images:
>>
>> http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
>> 	which makes the kernel use as much cpu as it can get
>>
>> http://www.cobra-basket.de/ext3_memhog.img.bz2
>> 	eats all memory it can get

Works for me w/ that patch:

[root@link-07 ~]# mount -o loop ext3_ls_prozzy_hog.img mnt/
[root@link-07 ~]# ls mnt/
[root@link-07 ~]# dmesg | tail -n 6
EXT3-fs: mounted filesystem with ordered data mode.
EXT3-fs error (device loop0): htree_dirblock_to_tree: bad entry in
directory #2: rec_len % 4 != 0 - offset=24, inode=11, rec_len=989,
name_len=10
Aborting journal on device loop0.
ext3_abort called.
EXT3-fs error (device loop0): ext3_journal_start_sb: Detected aborted
journal
Remounting filesystem read-only


[root@link-07 ~]# mount -o loop ext3_memhog.img mnt/
[root@link-07 ~]# ls mnt
[root@link-07 ~]# dmesg | tail -n 6
EXT3-fs: mounted filesystem with ordered data mode.
EXT3-fs error (device loop0): htree_dirblock_to_tree: bad entry in
directory #2: rec_len is smaller than minimal - offset=0, inode=75,
rec_len=0, name_len=0
Aborting journal on device loop0.
ext3_abort called.
EXT3-fs error (device loop0): ext3_journal_start_sb: Detected aborted
journal
Remounting filesystem read-only

-Eric