[Bug 203861] New: Division by zero error in fsck.f2fs when fixing a corrupted image

[Bug 203861] New: Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

            Bug ID: 203861
           Summary: Division by zero error in fsck.f2fs when fixing a
                    corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: v4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: seulbae@gatech.edu
        Regression: No

Created attachment 283179
  --> https://bugzilla.kernel.org/attachment.cgi?id=283179&action=edit
Corrupted f2fs image (compressed)

[Overview]
fsck.f2fs of f2fs-tools (master at commit 54244dcafd) triggers a division by
zero error while fixing a corrupted image, in which segs->secs_per_zone is set
to 0.

[Reproduction]
Download and uncompress the attached image.
Run fsck.f2fs against the downloaded image:
$ cd path/to/f2fs-tools/
$ ./fsck/fsck.f2fs -d 0 -f /tmp/f2fs.img
Info: Force to fix corruption
Info: Segments per section = 1
Info: Sections per zone = 1
Info: sector size = 512
Info: total sectors = 131072 (64 MB)
Info: MKFS version
  "Linux version 4.13.0-45-generic (buildd@lgw01-amd64-011) (gcc version 5.4.0
20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #50~16.04.1-Ubuntu SMP Wed May 30
11:18:27 UTC 2018"
Info: FSCK version
  from "Linux version 4.13.0-45-generic (buildd@lgw01-amd64-011) (gcc version
5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #50~16.04.1-Ubuntu SMP Wed May
30 11:18:27 UTC 2018"
    to "Linux version 4.18.0-21-generic (buildd@lcy01-amd64-006) (gcc version
7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #22~18.04.1-Ubuntu SMP Thu May 16 15:07:19 UTC
2019"
[update_superblock: 503] Info: Done to update superblock
Info: superblock features = 0 : 
Info: superblock encrypt level = 0, salt = 00000000000000000000000000000000
Info: total FS sectors = 131072 (64 MB)
Info: CKPT version = 3
[1]    13488 floating point exception (core dumped)  ./fsck/fsck.f2fs -f
/tmp/f2fs.img

[Location]
- build_curseg at fsck/mount.c:1589
  1589  array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
- GET_ZONENO_FROM_SEGNO(sbi, segno) at fsck/f2fs.h:317
  318 ((segno / sbi->segs_per_sec) / sbi->secs_per_zone)
Causes division by zero error when sbi->secs_per_zone is corrupted to be 0.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[f2fs-dev] [Bug 203861] New: Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

            Bug ID: 203861
           Summary: Division by zero error in fsck.f2fs when fixing a
                    corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: v4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: seulbae@gatech.edu
        Regression: No

Created attachment 283179
  --> https://bugzilla.kernel.org/attachment.cgi?id=283179&action=edit
Corrupted f2fs image (compressed)

[Overview]
fsck.f2fs of f2fs-tools (master at commit 54244dcafd) triggers a division by
zero error while fixing a corrupted image, in which segs->secs_per_zone is set
to 0.

[Reproduction]
Download and uncompress the attached image.
Run fsck.f2fs against the downloaded image:
$ cd path/to/f2fs-tools/
$ ./fsck/fsck.f2fs -d 0 -f /tmp/f2fs.img
Info: Force to fix corruption
Info: Segments per section = 1
Info: Sections per zone = 1
Info: sector size = 512
Info: total sectors = 131072 (64 MB)
Info: MKFS version
  "Linux version 4.13.0-45-generic (buildd@lgw01-amd64-011) (gcc version 5.4.0
20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #50~16.04.1-Ubuntu SMP Wed May 30
11:18:27 UTC 2018"
Info: FSCK version
  from "Linux version 4.13.0-45-generic (buildd@lgw01-amd64-011) (gcc version
5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #50~16.04.1-Ubuntu SMP Wed May
30 11:18:27 UTC 2018"
    to "Linux version 4.18.0-21-generic (buildd@lcy01-amd64-006) (gcc version
7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #22~18.04.1-Ubuntu SMP Thu May 16 15:07:19 UTC
2019"
[update_superblock: 503] Info: Done to update superblock
Info: superblock features = 0 : 
Info: superblock encrypt level = 0, salt = 00000000000000000000000000000000
Info: total FS sectors = 131072 (64 MB)
Info: CKPT version = 3
[1]    13488 floating point exception (core dumped)  ./fsck/fsck.f2fs -f
/tmp/f2fs.img

[Location]
- build_curseg at fsck/mount.c:1589
  1589  array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
- GET_ZONENO_FROM_SEGNO(sbi, segno) at fsck/f2fs.h:317
  318 ((segno / sbi->segs_per_sec) / sbi->secs_per_zone)
Causes division by zero error when sbi->secs_per_zone is corrupted to be 0.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |chao@kernel.org

--- Comment #1 from Chao Yu (chao@kernel.org) ---
Sorry for the long delay, I forgot to reply this thread to let you know we have
fixed this issue with below patch, could you please check it with your
testcase?

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git/commit/?h=dev&id=d5bec9021f50f3d1e05aee3fe76160dc234c1735

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

--- Comment #2 from Seulbae Kim (seulbae@gatech.edu) ---
No problem. I checked that the bug is fixed through the patch.
Thank you!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |CODE_FIX

--- Comment #3 from Chao Yu (chao@kernel.org) ---
Thanks for confirming that! :)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

Attila (cs.attila@zerodaybugs.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cs.attila@zerodaybugs.com

--- Comment #4 from Attila (cs.attila@zerodaybugs.com) ---
Current-master fsck.f2fs reproducer package for Bug 203861: ASAN/UBSAN log,
evidence card, concept fix, mount.c context, and minimized crash artifacts
showing SIGFPE in sanity_check_raw_super() with secs_per_zone=0 / derived
segs_per_zone=0.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

--- Comment #5 from Attila (cs.attila@zerodaybugs.com) ---
Created attachment 310083
  --> https://bugzilla.kernel.org/attachment.cgi?id=310083&action=edit
Current-master fsck.f2fs reproducer package for Bug 203861: ASAN/UBSAN log,
evidence card, concept fix, mount.c context, and minimized crash artifacts
showing SIGFPE in sanity_check_raw_super() with s

I can reproduce a related fsck.f2fs divide-by-zero on current f2fs-tools
master, so this looks like either an incomplete fix for Bug 203861 or a
regression in a different validation path.

This is not the same top frame as the original 2019 report. The original report
shows the crash later through build_curseg() / GET_ZONE_FROM_SEGNO() when
sbi->secs_per_zone is 0. My current reproducer reaches an earlier path in
sanity_check_raw_super():

- component: f2fs-tools userspace fsck.f2fs
- function: sanity_check_raw_super()
- file/line: fsck/mount.c:1130:49 in my current-master build
- corrupted fields: segs_per_sec = 1, secs_per_zone = 0
- derived value: segs_per_zone = segs_per_sec * secs_per_zone = 0
- observed result: UBSan division-by-zero followed by ASan SIGFPE

Observed sanitizer evidence:

mount.c:1130:33: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mount.c:1130:33
AddressSanitizer:DEADLYSIGNAL
ERROR: AddressSanitizer: FPE
    #0 in sanity_check_raw_super fsck/mount.c:1130:49
    #1 in validate_super_block fsck/mount.c:1195:7
    #2 in f2fs_do_mount fsck/mount.c:4088:8
    #3 in main fsck/main.c:1326:8

The root cause appears to be that secs_per_zone == 0 is still rejected too late
on this path. segs_per_zone is derived from untrusted superblock fields and can
be used as a divisor before secs_per_zone / derived segs_per_zone are
validated.

I am attaching a current repro package with:
- ASAN/UBSAN log
- evidence card
- concept fix
- mount.c context
- minimized crash artifacts

Security impact claimed: local/tooling denial-of-service only. I am not
claiming RCE, privilege escalation, kernel compromise, or production Android
reachability.

If maintainers prefer a new bug instead of reopening/commenting on this
resolved one, I can file a new Bugzilla issue explicitly referencing Bug 203861
as the related/incomplete-fix ancestor.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 203861] Division by zero error in fsck.f2fs when fixing a corrupted image

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=203861

Attila (cs.attila@zerodaybugs.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #310083|1                           |0
           is patch|                            |

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel