From patchwork Tue Aug 30 03:29:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 9304779 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A175B60756 for ; Tue, 30 Aug 2016 03:29:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9930A28A71 for ; Tue, 30 Aug 2016 03:29:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8C5CB28A90; Tue, 30 Aug 2016 03:29:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E789328A71 for ; Tue, 30 Aug 2016 03:29:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756831AbcH3D3v (ORCPT ); Mon, 29 Aug 2016 23:29:51 -0400 Received: from cn.fujitsu.com ([59.151.112.132]:46487 "EHLO heian.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1756271AbcH3D3t (ORCPT ); Mon, 29 Aug 2016 23:29:49 -0400 X-IronPort-AV: E=Sophos;i="5.22,518,1449504000"; d="scan'208";a="10410999" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 30 Aug 2016 11:29:36 +0800 Received: from G08CNEXCHPEKD02.g08.fujitsu.local (unknown [10.167.33.83]) by cn.fujitsu.com (Postfix) with ESMTP id 2900842EB280; Tue, 30 Aug 2016 11:29:36 +0800 (CST) Received: from localhost.localdomain (10.167.226.34) by G08CNEXCHPEKD02.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.279.2; Tue, 30 Aug 2016 11:29:34 +0800 From: Qu Wenruo To: CC: Lukas Lueg Subject: [PATCH 2/2] btrfs-progs: fuzz-test: Add image for unaligned tree block ptr Date: Tue, 30 Aug 2016 11:29:33 +0800 Message-ID: <20160830032933.22194-2-quwenruo@cn.fujitsu.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20160830032933.22194-1-quwenruo@cn.fujitsu.com> References: <20160830032933.22194-1-quwenruo@cn.fujitsu.com> MIME-Version: 1.0 X-Originating-IP: [10.167.226.34] X-yoursite-MailScanner-ID: 2900842EB280.AC28A X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: quwenruo@cn.fujitsu.com Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Lukas Lueg Add test case image for unaligned tree block ptr. It should lead to BUG_ON in free_extent_buffer(). Signed-off-by: Lukas Lueg Signed-off-by: Qu Wenruo --- .../images/unaligned-tree-block-bytenr.raw.txt | 33 +++++++++++++++++++++ .../images/unaligned-tree-block-bytenr.raw.xz | Bin 0 -> 3852 bytes 2 files changed, 33 insertions(+) create mode 100644 tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.txt create mode 100644 tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.xz diff --git a/tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.xz b/tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.xz new file mode 100644 index 0000000000000000000000000000000000000000..d37b1a2d3f00d15f26d42a1f149a537e9c5810fe GIT binary patch literal 3852 zcmeH~`#;l*AICp)J2sb1geY^1VQeT$E>)c{eFwAFQ4)U0I3hd z_njmF9gr#j0MV!!rdUjpd>9A-B#~ImY!N%#AKMvq@Qhb04e^0_^QXNqz0NewANP{LUTW zQ>S~@Sjs|b|L!6@xe-3*iI`9sor8RhAs4E?Y)iS9@1#L!$d&7>Qt^pg8zw?U4~WLo z#Xc&H>YaCBZ6?wmJZxj7r^d+|=aTK~Oa5T(bDDdCm$7kO%mKPkl=!$|P^D~$ry&sr z^;~u=XK_E$FLIWv0_A7i=2b@K3(!Q)c1&u~Dez>-@MRFxhXYLPKfj^U*`1OSu)_j&`w?MS#CMSn7)n5BmoB6!Jzx%uf=jj79q zG3&cHGWl-#qLKQcY-rD3?8Yk9%3QjNX`VKWLSW;)&YcLX})U0@`hsSJnW7vmdm zMHGdhkVYW_%im$#u|~bVic=nomVP?z72e*=U~k?KBCs;yt`X2zlp2FXk9B$aP<8WUB=LO_ zhg3Kg*7@Z-LFIEyu(7aO>~ByLC9g_jbsqfQ{&0@F_AtaS5EA%k$i%IMsarK((~h@# zos+lrawo5gx34YSf_*j8DN1v!Dz`czwq~x5P-WW2=hMGDTuAX zP0yT`mfhsOuKl*JlY9->Pdkgj-J5oD zYbDL10t&oC+7bNb@$OXR0?l`6coV*lj#efvG#EixZCW`y7IayUz3AnBCSzjd=Q>b4qmgkIAkepK&R&u3R>TYDv<{-xf`K5I>Huh-@N`38t zFxC?t>N$8_Gkax;DKoy#8WFd;x&La^G#EsH)sW-Rfp0wCsZ5DF$thlz?v(MBtf;01 z3%O)kPSy*_@C?xz{YxoaojYW1(g_7x>v0V`m*GoDw%wdeA;@?1eKT40b?B>tZ??WA7HizDn z^8H7Ud87u$iELv3Y(Q_jZyr;E~yymqLF(!gytRb!!)YbZSe$F%PaNvxBqsF_xU0>R7s^ zCB}9C6*g1LAVciCtcxD0G_2m)6~k13S9q1$Bs<$TqOfs5xKIlD2ody{Qz z0+%*C`)Q}VjuBT;HKZqwM_Zedn}RjFMt8&wcq_=onmHQP>7;1qO^0!GkxP9#sb|i7 zMvD$;{{ufr(|-)Rzb|A&1WgNdiQstkkrUjs#!D0KCY+4=EUa-af-r$zSl6&e`C8M- zfniu&o|E&UQQf^G9rc~-=u!XYJ5A?hf6YOonk}^$+#`&@Hh2_up97Cx)rVLfR0$*qg?Kj=Y z{fwy;7&v_NRPF)Qer+>&G>%J6`m9- z<+|Hu3iK-MpfFKla0KaNw{G3T+s}Rs`@ebS-C2rpt;qW^Q-{THJ3f;u$* z0QMc5=?AdyT;)H2{Q&mAJr@5;Sfb2fKpH5UP5yKk0I*h?tH^9nC;*z>lbDz&tE%LA Rj@@&1OX6QYFCc~U{}b+FcFX_( literal 0 HcmV?d00001 diff --git a/tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.txt b/tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.txt new file mode 100644 index 0000000..05cf392 --- /dev/null +++ b/tests/fuzz-tests/images/unaligned-tree-block-bytenr.raw.txt @@ -0,0 +1,33 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=153641 +Lukas Lueg 2016-08-23 19:54:45 UTC + +Created attachment 229941 [details] +Image triggering btrfsck into asan error + +The filesystem-image attached to this bug drives btrfsck from btrfs-progs +v4.7-42-g56e9586 into a heap-use-after-free. The src was from kdave's mirror, +devel branch. CFLAGS='-DNDEBUG -O1 -g -fsanitize=address +-fno-omit-frame-pointer -fno-optimize-sibling-calls' + + +The juicy parts: +==32639==ERROR: AddressSanitizer: heap-use-after-free on address +0x621000019170 at pc 0x0000005c046e bp 0x7fff631e48d0 sp 0x7fff631e48c8 +READ of size 4 at 0x621000019170 thread T0 + #0 0x5c046d in free_extent_buffer +/home/lukas/dev/btrfsprogs_fuzz/src/extent_io.c:579:10 + #1 0x59356c in btrfs_release_all_roots +/home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1084:3 + #2 0x5949a7 in __open_ctree_fd +/home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1325:2 + #3 0x594325 in open_ctree_fs_info +/home/lukas/dev/btrfsprogs_fuzz/src/disk-io.c:1363:9 + #4 0x51e717 in cmd_check +/home/lukas/dev/btrfsprogs_fuzz/src/cmds-check.c:11320:9 + #5 0x4f0f81 in main /home/lukas/dev/btrfsprogs_fuzz/src/btrfs.c:243:8 + #6 0x7f5ce75ee730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin/bin/btrfs+0x4213f8) + + +Note that the bug happens within core itself. The kernel may be vulnerable as +well, I didn't check, though.