From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 202879] New: Segmentation fault while running crafted program
Date: Mon, 11 Mar 2019 18:57:42 +0000 [thread overview]
Message-ID: <bug-202879-13602@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=202879
Bug ID: 202879
Summary: Segmentation fault while running crafted program
Product: File System
Version: 2.5
Kernel Version: 5.0-rc8
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: jungyeon@gatech.edu
Regression: No
Created attachment 281725
--> https://bugzilla.kernel.org/attachment.cgi?id=281725&action=edit
The (compressed) crafted image which causes crash
- Overview
After mounting crafted image and running the attached program, I got this
segmentation fault while running attached program.
I also tried to reproduce on vm, but it only failed on lkl.
- Produces
./lkl/tools/lkl/ext4-combined -t ext4 -i tmp.img -p poc_01.c.raw -v
(poc_01.c shows it's internal programs)
- Messages
./lkl/tools/lkl/ext4-combined -t ext4 -i tmp.img -p tmp.c.raw -v
./lkl/tools/lkl/ext4-combined -t ext4 -i tmp.img -p poc_01.c.raw -v
[ 0.000000] Linux version 5.0.0-rc6+ (jungyeon@copper) (gcc version 7.3.0
(Ubuntu 7.3.0-27ubuntu1~18.04)) #1 Mon Mar 11 14:49:22 EDT 2019
[ 0.000000] memblock address range: 0x7face0000000 - 0x7face7fff000
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32319
[ 0.000000] Kernel command line: mem=128M virtio_mmio.device=316@0x1000000:1
[ 0.000000] Dentry cache hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.000000] Memory available: 129044k/131068k RAM
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 4096
[ 0.000000] lkl: irqs initialized
[ 0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles:
0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.000004] lkl: time and timers initialized (irq2)
[ 0.000011] pid_max: default: 4096 minimum: 301
[ 0.000074] Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
[ 0.000084] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes)
[ 0.002643] printk: console [lkl_console0] enabled
[ 0.002673] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff,
max_idle_ns: 19112604462750000 ns
[ 0.004396] clocksource: Switched to clocksource lkl
[ 0.004672] virtio-mmio: Registering device virtio-mmio.0 at
0x1000000-0x100013b, IRQ 1.
[ 0.005205] workingset: timestamp_bits=62 max_order=15 bucket_order=0
[ 0.015834] virtio-mmio virtio-mmio.0: Failed to enable 64-bit or 32-bit
DMA. Trying to continue, but this might not work.
[ 0.016070] virtio_blk virtio0: [vda] 32768 512-byte logical blocks (16.8
MB/16.0 MiB)
[ 0.016903] random: get_random_bytes called from init_oops_id+0x35/0x40 with
crng_init=0
[ 0.017356] Warning: unable to open an initial console.
[ 0.017395] This architecture does not have kernel memory protection.
[ 0.017402] Run /init as init process
[ 0.019260] EXT4-fs (vda): barriers disabled
[ 0.019867] [EXT4 FS bs=1024, gc=2, bpg=8192, ipg=2048, mo=e000c42c,
mo2=0002]
[ 0.019890] System zones: 1-2, 66-581, 8193-8194
[ 0.020020] EXT4-fs (vda): mounting with "discard" option, but the device
does not support discard
[ 0.020030] EXT4-fs (vda): mounted filesystem with journalled data mode.
Opts: errors=remount-ro
v13 = syscall(SYS_open, (long)v2, 65536, 0);
syscall(SYS_getdents64, (long)v13, (long)v1, 2344);
syscall(SYS_fsync, (long)v13);
syscall(SYS_fsync, (long)v13);
syscall(SYS_readlink, (long)v10, (long)v1, 8192);
v15 = syscall(SYS_open, (long)v14, 66, 438);
syscall(SYS_write, (long)v15, (long)v1, 2229);
syscall(SYS_write, (long)v15, (long)v1, 3563);
syscall(SYS_ftruncate, (long)v15, 7336);
syscall(SYS_getdents64, (long)v13, (long)v1, 4633);
syscall(SYS_mkdir, (long)v16, 511);
syscall(SYS_fsync, (long)v13);
syscall(SYS_fsync, (long)v15);
syscall(SYS_unlink, (long)v8);
syscall(SYS_write, (long)v15, (long)v1, 7178);
syscall(SYS_readlink, (long)v14, (long)v1, 8192);
syscall(SYS_utimes, (long)v11, (long)v1);
syscall(SYS_ftruncate, (long)v15, 4018);
syscall(SYS_utimes, (long)v10, (long)v1);
syscall(SYS_ftruncate, (long)v15, 6005);
syscall(SYS_fsync, (long)v15);
syscall(SYS_rmdir, (long)v12);
syscall(SYS_pwrite64, (long)v15, (long)v1, 7752, 4527);
syscall(SYS_getdents64, (long)v13, (long)v1, 3796);
syscall(SYS_mkdir, (long)v17, 511);
syscall(SYS_removexattr, (long)v3, (long)v18);
syscall(SYS_ftruncate, (long)v15, 53);
syscall(SYS_listxattr, (long)v5, (long)v1, 4138);
syscall(SYS_pwrite64, (long)v15, (long)v1, 7728, 1584);
syscall(SYS_fsync, (long)v15);
syscall(SYS_fsync, (long)v15);
syscall(SYS_write, (long)v15, (long)v1, 1974);
syscall(SYS_unlink, (long)v14);
syscall(SYS_write, (long)v15, (long)v1, 1752);
syscall(SYS_getdents64, (long)v13, (long)v1, 1582);
syscall(SYS_pwrite64, (long)v15, (long)v1, 5142, 5178);
syscall(SYS_removexattr, (long)v16, (long)v19);
v20 = syscall(SYS_open, (long)v3, 65536, 0);
syscall(SYS_fsync, (long)v15);
syscall(SYS_symlink, (long)v5, (long)v21);
syscall(SYS_link, (long)v10, (long)v22);
v23 = syscall(SYS_open, (long)v7, 2, 0);
syscall(SYS_ftruncate, (long)v15, 2545);
syscall(SYS_write, (long)v23, (long)v1, 2067);
syscall(SYS_fdatasync, (long)v23);
syscall(SYS_link, (long)v10, (long)v24);
syscall(SYS_symlink, (long)v9, (long)v25);
syscall(SYS_fsync, (long)v15);
syscall(SYS_mkdir, (long)v26, 511);
[ 0.084492] random: fast init done
syscall(SYS_fdatasync, (long)v23);
syscall(SYS_write, (long)v23, (long)v1, 969);
syscall(SYS_readlink, (long)v2, (long)v1, 8192);
syscall(SYS_chmod, (long)v25, 3072);
syscall(SYS_fdatasync, (long)v23);
syscall(SYS_pwrite64, (long)v23, (long)v1, 1520, 1423);
syscall(SYS_fallocate, (long)v15, 65, 5353, 6797);
syscall(SYS_fsync, (long)v23);
syscall(SYS_listxattr, (long)v22, (long)v1, 1808);
syscall(SYS_pwrite64, (long)v23, (long)v1, 4742, 7814);
syscall(SYS_newlstat, (long)v21, (long)v1);
syscall(SYS_fsync, (long)v20);
Segmentation fault (core dumped)
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2019-03-11 18:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 18:57 bugzilla-daemon [this message]
2019-03-11 18:58 ` [Bug 202879] Segmentation fault while running crafted program bugzilla-daemon
2019-03-11 18:59 ` bugzilla-daemon
2019-03-13 16:24 ` bugzilla-daemon
2019-03-13 17:13 ` bugzilla-daemon
2019-03-13 17:41 ` bugzilla-daemon
2019-03-14 0:43 ` bugzilla-daemon
2019-03-14 18:15 ` bugzilla-daemon
2019-03-25 3:40 ` bugzilla-daemon
2019-03-25 3:41 ` bugzilla-daemon
2019-04-05 20:12 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-202879-13602@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).