diff options
| author | David Sterba <dsterba@suse.com> | 2016-11-14 19:06:40 +0100 |
|---|---|---|
| committer | David Sterba <dsterba@suse.com> | 2016-11-23 10:49:37 +0100 |
| commit | 5ee216a86f054844f52285cc22736cd249904e52 (patch) | |
| tree | fd4815d454e679ecb1ffadc86d23e1c489333ac2 /tests/fuzz-tests | |
| parent | 08a072c70998f89aef8f9704a16b52998a0a4d69 (diff) | |
btrfs-progs: tests: add more fuzzed images from bugzilla
Fixing the problems by one does not scale now. Add more images despite
the fuzz tests will fail. They have been for some time already.
Reported-by: Lukas Lueg <lukas.lueg@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'tests/fuzz-tests')
24 files changed, 1211 insertions, 0 deletions
diff --git a/tests/fuzz-tests/images/bko-156731.raw.txt b/tests/fuzz-tests/images/bko-156731.raw.txt new file mode 100644 index 00000000..aea35f1f --- /dev/null +++ b/tests/fuzz-tests/images/bko-156731.raw.txt @@ -0,0 +1,83 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=156731 +Lukas Lueg 2016-09-13 19:53:59 UTC + +More news from the fuzzer. The attached image causes btrfsck to +buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN +(doesn't crash without) + +==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8 +READ of size 4 at 0x621000017980 thread T0 + #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 + #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6 + #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +cat crashing_images/id:000047,sig:11,src:000343+000051,op:splice,rep:4.log +================================================================= +==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8 +READ of size 4 at 0x621000017980 thread T0 + #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 + #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6 + #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980) +allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8 + #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 in btrfs_extent_data_ref_count +Shadow bytes around the buggy address: + 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==17647==ABORTING diff --git a/tests/fuzz-tests/images/bko-156731.raw.xz b/tests/fuzz-tests/images/bko-156731.raw.xz Binary files differnew file mode 100644 index 00000000..74a5c2a9 --- /dev/null +++ b/tests/fuzz-tests/images/bko-156731.raw.xz diff --git a/tests/fuzz-tests/images/bko-156741.raw.txt b/tests/fuzz-tests/images/bko-156741.raw.txt new file mode 100644 index 00000000..ca52677a --- /dev/null +++ b/tests/fuzz-tests/images/bko-156741.raw.txt @@ -0,0 +1,131 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=156741 +Lukas Lueg 2016-09-13 19:56:16 UTC + +More news from the fuzzer. The attached image causes btrfsck to +buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN +(doesn't crash without). + +==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978 +READ of size 1 at 0x621000017980 thread T0 + #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 + #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10 + #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8 + #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8 + #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +cat crashing_images/id:000073,sig:11,src:000504+000275,op:splice,rep:4.log +parent transid verify failed on 1122304 wanted 3472328296227680304 found 1 +parent transid verify failed on 1122304 wanted 3472328296227680304 found 1 +Ignoring transid failure +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [1118208 4096] extent item 1, found 0 +Backref 1118208 root 1 not referenced back 0x60300000ee00 +Incorrect global backref count on 1118208 found 1 wanted 0 +backpointer mismatch on [1118208 4096] +owner ref check failed [1118208 4096] +ref mismatch on [1126400 4096] extent item 1, found 0 +Backref 1126400 root 3 not referenced back 0x60300000edd0 +Incorrect global backref count on 1126400 found 1 wanted 0 +backpointer mismatch on [1126400 4096] +owner ref check failed [1126400 4096] +ref mismatch on [1130496 4096] extent item 1, found 0 +Backref 1130496 root 4 not referenced back 0x60300000eda0 +Incorrect global backref count on 1130496 found 1 wanted 0 +backpointer mismatch on [1130496 4096] +owner ref check failed [1130496 4096] +ref mismatch on [1134592 4096] extent item 1, found 0 +Backref 1134592 root 5 not referenced back 0x60300000ed70 +Incorrect global backref count on 1134592 found 1 wanted 0 +backpointer mismatch on [1134592 4096] +owner ref check failed [1134592 4096] +ref mismatch on [1138688 4096] extent item 1, found 0 +Backref 1138688 root 7 not referenced back 0x60300000ed40 +Incorrect global backref count on 1138688 found 1 wanted 0 +backpointer mismatch on [1138688 4096] +owner ref check failed [1138688 4096] +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4227072 4096] extent item 0, found 1 +Backref 4227072 parent 4 root 4 not found in extent tree +backpointer mismatch on [4227072 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 6 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 6 offset 0 found 1 wanted 0 back 0x60700000dca0 +backpointer mismatch on [3472328296227680304 3472328296227680304] +================================================================= +==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978 +READ of size 1 at 0x621000017980 thread T0 + #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 + #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10 + #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8 + #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8 + #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980) +allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8 + #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 in btrfs_extent_inline_ref_type +Shadow bytes around the buggy address: + 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==23161==ABORTING diff --git a/tests/fuzz-tests/images/bko-156741.raw.xz b/tests/fuzz-tests/images/bko-156741.raw.xz Binary files differnew file mode 100644 index 00000000..af4de268 --- /dev/null +++ b/tests/fuzz-tests/images/bko-156741.raw.xz diff --git a/tests/fuzz-tests/images/bko-161811.raw.txt b/tests/fuzz-tests/images/bko-161811.raw.txt new file mode 100644 index 00000000..93374e98 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161811.raw.txt @@ -0,0 +1,81 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=161811 +Lukas Lueg 2016-09-16 20:03:35 UTC + +More news from the fuzzer. The attached image causes a global-buffer-overflow +in btrfsck; using btrfs-progs v4.7-42-g56e9586. You need to compile with ASAN +in order to reproduce. + +The juicy parts: + +==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978 +READ of size 1 at 0x00000064726f thread T0 + #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 + #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13 + #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2 + #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3 + #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10 + #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10 + #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10 + #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +bad full backref, on [4198400] +checking free space cache +checking fs roots +================================================================= +==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978 +READ of size 1 at 0x00000064726f thread T0 + #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 + #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13 + #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2 + #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3 + #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10 + #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10 + #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10 + #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x00000064726f is located 49 bytes to the left of global variable '<string literal>' defined in 'cmds-check.c:3051:2' (0x6472a0) of size 17 + '<string literal>' is ascii string 'check_inode_recs' +0x00000064726f is located 0 bytes to the right of global variable 'btrfs_type_by_mode' defined in 'cmds-check.c:625:23' (0x647260) of size 15 +SUMMARY: AddressSanitizer: global-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 in imode_to_type +Shadow bytes around the buggy address: + 0x0000800c0df0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9 + 0x0000800c0e00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9 + 0x0000800c0e10: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 01 + 0x0000800c0e20: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9 + 0x0000800c0e30: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 05 f9 +=>0x0000800c0e40: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00[07]f9 f9 + 0x0000800c0e50: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 00 07 + 0x0000800c0e60: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 + 0x0000800c0e70: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0000800c0e80: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0000800c0e90: 00 00 03 f9 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==16657==ABORTING diff --git a/tests/fuzz-tests/images/bko-161811.raw.xz b/tests/fuzz-tests/images/bko-161811.raw.xz Binary files differnew file mode 100644 index 00000000..8ac31951 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161811.raw.xz diff --git a/tests/fuzz-tests/images/bko-161821.raw.txt b/tests/fuzz-tests/images/bko-161821.raw.txt new file mode 100644 index 00000000..c06b0ea7 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161821.raw.txt @@ -0,0 +1,42 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=161821 +Lukas Lueg 2016-09-16 20:45:58 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +The juicy parts: + +==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0) + #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 + #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2 + #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8 + #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10 + #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8 + #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +parent transid verify failed on 4198400 wanted 14 found 1114126 +parent transid verify failed on 4198400 wanted 14 found 1114126 +Ignoring transid failure +ASAN:DEADLYSIGNAL +================================================================= +==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0) + #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 + #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2 + #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8 + #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10 + #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8 + #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 in extent_buffer_get +==29097==ABORTING diff --git a/tests/fuzz-tests/images/bko-161821.raw.xz b/tests/fuzz-tests/images/bko-161821.raw.xz Binary files differnew file mode 100644 index 00000000..6c673ea4 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161821.raw.xz diff --git a/tests/fuzz-tests/images/bko-167551.raw.txt b/tests/fuzz-tests/images/bko-167551.raw.txt new file mode 100644 index 00000000..c2ae8548 --- /dev/null +++ b/tests/fuzz-tests/images/bko-167551.raw.txt @@ -0,0 +1,29 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167551 +Lukas Lueg 2016-09-17 18:32:31 UTC + +More news from the fuzzer. The attached image causes btrfsck to enter what +seems to be an endless loop; using btrfs-progs v4.7.2-55-g2b7c507 + +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck hang000022.img +Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64 +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGINT, Interrupt. +0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628 +628 { +Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64 +#0 0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628 +#1 0x0000000000444be3 in read_tree_block_fs_info (fs_info=0x6b53a0, bytenr=4198400, blocksize=4096, parent_transid=14) at disk-io.c:339 +#2 0x0000000000440845 in btrfs_search_slot (trans=<optimized out>, root=<optimized out>, key=<optimized out>, p=<optimized out>, + ins_len=<optimized out>, cow=<optimized out>) at ctree.c:1175 +#3 0x000000000044bf8a in find_first_block_group (root=0x6b5850, path=0x6b41d0, key=0x7fffffffde78) at extent-tree.c:3142 +#4 0x000000000044bd3a in btrfs_read_block_groups (root=0x6b5850) at extent-tree.c:3240 +#5 0x00000000004464b3 in btrfs_setup_all_roots (fs_info=0x6b53a0, root_tree_bytenr=4202496, flags=<optimized out>) at disk-io.c:1077 +#6 0x0000000000446fc5 in __open_ctree_fd (fp=<optimized out>, path=<optimized out>, sb_bytenr=65536, root_tree_bytenr=<optimized out>, + chunk_root_bytenr=<optimized out>, flags=<optimized out>) at disk-io.c:1341 +#7 0x0000000000446d65 in open_ctree_fs_info (filename=0x7fffffffe4f5 "hang000022.img", sb_bytenr=0, root_tree_bytenr=0, + chunk_root_bytenr=0, flags=64) at disk-io.c:1387 +#8 0x000000000041bbe2 in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11382 +#9 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-167551.raw.xz b/tests/fuzz-tests/images/bko-167551.raw.xz Binary files differnew file mode 100644 index 00000000..2292fb4b --- /dev/null +++ b/tests/fuzz-tests/images/bko-167551.raw.xz diff --git a/tests/fuzz-tests/images/bko-167781.raw.txt b/tests/fuzz-tests/images/bko-167781.raw.txt new file mode 100644 index 00000000..f185fb6f --- /dev/null +++ b/tests/fuzz-tests/images/bko-167781.raw.txt @@ -0,0 +1,297 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167781 +Lukas Lueg 2016-09-17 19:01:47 UTC + +More news from the fuzzer. The attached image causes btrfsck to overflow it's +stack by what seems to be an infinite (or at least sufficiently deep) recursion +in resolve_one_root(); using btrfs-progs v4.7-42-g56e9586. + + +checking extents +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +bad extent [131072, 135168), type mismatch with chunk +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bd20 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +Errors found in extent allocation tree or chunk allocation +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +ASAN:DEADLYSIGNAL +================================================================= +==9638==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc0e2d1ff8 (pc 0x0000005f2ed7 bp 0x7ffc0e2d2010 sp 0x7ffc0e2d2000 T0) + #0 0x5f2ed6 in find_ref_bytenr /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46 + #1 0x5f2cba in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:560:20 + #2 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #3 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #4 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #5 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #6 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #7 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #8 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #9 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #10 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #11 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #12 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #13 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #14 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #15 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #16 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #17 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #18 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #19 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #20 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #21 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #22 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #23 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #24 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #25 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #26 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #27 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #28 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #29 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #30 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #31 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #32 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #33 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #34 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #35 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #36 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #37 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #38 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #39 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #40 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #41 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #42 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #43 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #44 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #45 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #46 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #47 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #48 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #49 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #50 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #51 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #52 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #53 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #54 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #55 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #56 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #57 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #58 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #59 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #60 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #61 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #62 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #63 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #64 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #65 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #66 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #67 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #68 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #69 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #70 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #71 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #72 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #73 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #74 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #75 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #76 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #77 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #78 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #79 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #80 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #81 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #82 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #83 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #84 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #85 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #86 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #87 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #88 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #89 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #90 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #91 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #92 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #93 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #94 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #95 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #96 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #97 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #98 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #99 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #100 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #101 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #102 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #103 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #104 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #105 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #106 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #107 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #108 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #109 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #110 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #111 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #112 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #113 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #114 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #115 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #116 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #117 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #118 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #119 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #120 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #121 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #122 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #123 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #124 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #125 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #126 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #127 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #128 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #129 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #130 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #131 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #132 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #133 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #134 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #135 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #136 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #137 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #138 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #139 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #140 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #141 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #142 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #143 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #144 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #145 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #146 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #147 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #148 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #149 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #150 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #151 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #152 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #153 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #154 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #155 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #156 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #157 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #158 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #159 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #160 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #161 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #162 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #163 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #164 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #165 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #166 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #167 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #168 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #169 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #170 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #171 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #172 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #173 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #174 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #175 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #176 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #177 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #178 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #179 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #180 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #181 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #182 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #183 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #184 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #185 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #186 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #187 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #188 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #189 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #190 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #191 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #192 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #193 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #194 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #195 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #196 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #197 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #198 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #199 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #200 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #201 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #202 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #203 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #204 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #205 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #206 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #207 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #208 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #209 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #210 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #211 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #212 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #213 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #214 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #215 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #216 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #217 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #218 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #219 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #220 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #221 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #222 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #223 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #224 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #225 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #226 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #227 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #228 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #229 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #230 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #231 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #232 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #233 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #234 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #235 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #236 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #237 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #238 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #239 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #240 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #241 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #242 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #243 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #244 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #245 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #246 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #247 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #248 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #249 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #250 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #251 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + +SUMMARY: AddressSanitizer: stack-overflow /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46 in find_ref_bytenr +==9638==ABORTING diff --git a/tests/fuzz-tests/images/bko-167781.raw.xz b/tests/fuzz-tests/images/bko-167781.raw.xz Binary files differnew file mode 100644 index 00000000..a4bd1de5 --- /dev/null +++ b/tests/fuzz-tests/images/bko-167781.raw.xz diff --git a/tests/fuzz-tests/images/bko-167921.raw.txt b/tests/fuzz-tests/images/bko-167921.raw.txt new file mode 100644 index 00000000..04ae8a19 --- /dev/null +++ b/tests/fuzz-tests/images/bko-167921.raw.txt @@ -0,0 +1,55 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167921 +Lukas Lueg 2016-09-17 19:16:19 UTC + +More news from the fuzzer. The attached image causes a call to abort() when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x000000000042390b in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>, + ri=<optimized out>) at cmds-check.c:6424 +#3 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>) + at cmds-check.c:8391 +#4 0x000000000041d1d2 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8567 +#5 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493 +#6 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243 + +parent transid verify failed on 4194304 wanted 65305493131755520 found 14 +parent transid verify failed on 4194304 wanted 65305493131755520 found 14 +Ignoring transid failure +Checking filesystem on crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img +UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306 +checking extents/bin/sh: line 3: 3091 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000160.img +Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64 +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +[Inferior 1 (process 21730) exited with code 0376] +Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64 +No stack. +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000162.img +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x000000000042390b in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>, + ri=<optimized out>) at cmds-check.c:6424 +#3 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>) + at cmds-check.c:8391 +#4 0x000000000041d1d2 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8567 +#5 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493 +#6 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-167921.raw.xz b/tests/fuzz-tests/images/bko-167921.raw.xz Binary files differnew file mode 100644 index 00000000..41d7157e --- /dev/null +++ b/tests/fuzz-tests/images/bko-167921.raw.xz diff --git a/tests/fuzz-tests/images/bko-168301.raw.txt b/tests/fuzz-tests/images/bko-168301.raw.txt new file mode 100644 index 00000000..9f3bab87 --- /dev/null +++ b/tests/fuzz-tests/images/bko-168301.raw.txt @@ -0,0 +1,51 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=168301 +Lukas Lueg 2016-09-17 20:00:11 UTC + +More news from the fuzzer. The attached image causes a call to abort() when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=<optimized out>, + root=<optimized out>, owner=<optimized out>, offset=<optimized out>, num_refs=<optimized out>, found_ref=<optimized out>, + max_size=4096) at cmds-check.c:4856 +#3 0x00000000004234bd in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>, + ri=<optimized out>) at cmds-check.c:6388 +#4 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>) + at cmds-check.c:8391 +#5 0x000000000041d160 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8558 +#6 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493 +#7 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243 + +Checking filesystem on crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img +UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306 +checking extents/bin/sh: line 3: 4644 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000170.img +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=<optimized out>, + root=<optimized out>, owner=<optimized out>, offset=<optimized out>, num_refs=<optimized out>, found_ref=<optimized out>, + max_size=4096) at cmds-check.c:4856 +#3 0x00000000004234bd in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>, + ri=<optimized out>) at cmds-check.c:6388 +#4 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024, + pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>, + chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>) + at cmds-check.c:8391 +#5 0x000000000041d160 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8558 +#6 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493 +#7 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-168301.raw.xz b/tests/fuzz-tests/images/bko-168301.raw.xz Binary files differnew file mode 100644 index 00000000..4c7f4623 --- /dev/null +++ b/tests/fuzz-tests/images/bko-168301.raw.xz diff --git a/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt new file mode 100644 index 00000000..c5ec8ee1 --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt @@ -0,0 +1,134 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301 +Lukas Lueg 2016-09-18 09:07:55 UTC + +More news from the fuzzer. The attached image causes a heap-use-after-free +when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013 + +==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8 +READ of size 4 at 0x621000014170 thread T0 + #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 + #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3 + #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2 + #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9 + #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2 + #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +Probably somewhat related to this: The image crash000255.img causes btrfsck to +try to allocate around 3.5gb of memory in one chunk, sending ASAN into a death +spiral. On systems with sufficient memory, the heap-use-after-free turns up. + +parent transid verify failed on 0 wanted 3472328296227680304 found 0 +parent transid verify failed on 0 wanted 3472328296227680304 found 0 +Ignoring transid failure +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [0 4096] extent item 0, found 1 +Backref 0 parent 0 root 0 not found in extent tree +backpointer mismatch on [0 4096] +bad extent [0, 4096), type mismatch with chunk +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60700000ddf0 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +checking free space cache +checking fs roots +root 5 root dir 3472328296227680304 not found +checking csums +checking root refs +checking quota groups +ERROR: while mapping refs: -5 +================================================================= +==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8 +READ of size 4 at 0x621000014170 thread T0 + #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 + #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3 + #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2 + #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9 + #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2 + #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000014170 is located 112 bytes inside of 4224-byte region [0x621000014100,0x621000015180) +freed by thread T0 here: + #0 0x4bf990 in __interceptor_cfree.localalias.1 (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bf990) + #1 0x5c0582 in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:591:3 + #2 0x5c1b18 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:644:4 + #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5f2d74 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x5f2b52 in travel_tree /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7 + #7 0x5f299b in add_refs_for_implied /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #8 0x5efd39 in map_implied_refs /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #9 0x5eed89 in qgroup_verify_all /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #10 0x51ea14 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #11 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #12 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +previously allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592a06 in btrfs_setup_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1045:8 + #9 0x5948fe in __open_ctree_fd /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-use-after-free /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 in free_extent_buffer +Shadow bytes around the buggy address: + 0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c427fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd + 0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==3439==ABORTING diff --git a/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz Binary files differnew file mode 100644 index 00000000..70c2b22f --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz diff --git a/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt new file mode 100644 index 00000000..0af00ec6 --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt @@ -0,0 +1,185 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301 +Lukas Lueg 2016-09-18 09:07:55 UTC + +parent transid verify failed on 4231168 wanted 274877906948 found 4 +Ignoring transid failure +parent transid verify failed on 4222976 wanted 3472328296227680304 found 4 +parent transid verify failed on 4222976 wanted 3472328296227680304 found 4 +Ignoring transid failure +checking extents +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bc20 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +Errors found in extent allocation tree or chunk allocation +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +==23294==ERROR: AddressSanitizer failed to allocate 0xe4ff4000 (3841933312) bytes of LargeMmapAllocator (error code: 12) +==23294==Process memory map follows: + 0x000000400000-0x0000006a6000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008a6000-0x0000008b9000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008b9000-0x0000008ef000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008ef000-0x000001567000 + 0x00007fff7000-0x00008fff7000 + 0x00008fff7000-0x02008fff7000 + 0x02008fff7000-0x10007fff8000 + 0x600000000000-0x602000000000 + 0x602000000000-0x602000010000 + 0x602000010000-0x603000000000 + 0x603000000000-0x603000010000 + 0x603000010000-0x604000000000 + 0x604000000000-0x604000010000 + 0x604000010000-0x606000000000 + 0x606000000000-0x606000010000 + 0x606000010000-0x607000000000 + 0x607000000000-0x607000010000 + 0x607000010000-0x608000000000 + 0x608000000000-0x608000010000 + 0x608000010000-0x60c000000000 + 0x60c000000000-0x60c000010000 + 0x60c000010000-0x60d000000000 + 0x60d000000000-0x60d000010000 + 0x60d000010000-0x60e000000000 + 0x60e000000000-0x60e000010000 + 0x60e000010000-0x611000000000 + 0x611000000000-0x611000010000 + 0x611000010000-0x616000000000 + 0x616000000000-0x616000020000 + 0x616000020000-0x619000000000 + 0x619000000000-0x619000020000 + 0x619000020000-0x621000000000 + 0x621000000000-0x621000020000 + 0x621000020000-0x624000000000 + 0x624000000000-0x624000020000 + 0x624000020000-0x629000000000 + 0x629000000000-0x629000010000 + 0x629000010000-0x640000000000 + 0x640000000000-0x640000003000 + 0x7f62fb97e000-0x7f62fdcd0000 + 0x7f62fdcd0000-0x7f62fde89000 /usr/lib64/libc-2.23.so + 0x7f62fde89000-0x7f62fe088000 /usr/lib64/libc-2.23.so + 0x7f62fe088000-0x7f62fe08c000 /usr/lib64/libc-2.23.so + 0x7f62fe08c000-0x7f62fe08e000 /usr/lib64/libc-2.23.so + 0x7f62fe08e000-0x7f62fe092000 + 0x7f62fe092000-0x7f62fe0a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe0a8000-0x7f62fe2a7000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a7000-0x7f62fe2a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a8000-0x7f62fe2a9000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a9000-0x7f62fe2ac000 /usr/lib64/libdl-2.23.so + 0x7f62fe2ac000-0x7f62fe4ab000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ab000-0x7f62fe4ac000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ac000-0x7f62fe4ad000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ad000-0x7f62fe5b5000 /usr/lib64/libm-2.23.so + 0x7f62fe5b5000-0x7f62fe7b4000 /usr/lib64/libm-2.23.so + 0x7f62fe7b4000-0x7f62fe7b5000 /usr/lib64/libm-2.23.so + 0x7f62fe7b5000-0x7f62fe7b6000 /usr/lib64/libm-2.23.so + 0x7f62fe7b6000-0x7f62fe7bd000 /usr/lib64/librt-2.23.so + 0x7f62fe7bd000-0x7f62fe9bc000 /usr/lib64/librt-2.23.so + 0x7f62fe9bc000-0x7f62fe9bd000 /usr/lib64/librt-2.23.so + 0x7f62fe9bd000-0x7f62fe9be000 /usr/lib64/librt-2.23.so + 0x7f62fe9be000-0x7f62fe9d5000 /usr/lib64/libpthread-2.23.so + 0x7f62fe9d5000-0x7f62febd4000 /usr/lib64/libpthread-2.23.so + 0x7f62febd4000-0x7f62febd5000 /usr/lib64/libpthread-2.23.so + 0x7f62febd5000-0x7f62febd6000 /usr/lib64/libpthread-2.23.so + 0x7f62febd6000-0x7f62febda000 + 0x7f62febda000-0x7f62febfc000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62febfc000-0x7f62fedfb000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62fedfb000-0x7f62fedfc000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62fedfc000-0x7f62fedfd000 + 0x7f62fedfd000-0x7f62fee12000 /usr/lib64/libz.so.1.2.8 + 0x7f62fee12000-0x7f62ff011000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff011000-0x7f62ff012000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff012000-0x7f62ff013000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff013000-0x7f62ff050000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff050000-0x7f62ff250000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff250000-0x7f62ff254000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff254000-0x7f62ff255000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff255000-0x7f62ff256000 + 0x7f62ff256000-0x7f62ff25a000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff25a000-0x7f62ff459000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff459000-0x7f62ff45a000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff45a000-0x7f62ff45b000 + 0x7f62ff45b000-0x7f62ff45d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff45d000-0x7f62ff65c000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65c000-0x7f62ff65d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65d000-0x7f62ff65e000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65e000-0x7f62ff682000 /usr/lib64/ld-2.23.so + 0x7f62ff810000-0x7f62ff879000 + 0x7f62ff879000-0x7f62ff881000 + 0x7f62ff881000-0x7f62ff882000 /usr/lib64/ld-2.23.so + 0x7f62ff882000-0x7f62ff883000 /usr/lib64/ld-2.23.so + 0x7f62ff883000-0x7f62ff884000 + 0x7fff5a065000-0x7fff5a086000 [stack] + 0x7fff5a0c7000-0x7fff5a0ca000 [vvar] + 0x7fff5a0ca000-0x7fff5a0cc000 [vdso] + 0xffffffffff600000-0xffffffffff601000 [vsyscall] +==23294==End of process memory map. +==23294==AddressSanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-3.8.0.src/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) + #0 0x4c90cd in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4c90cd) + #1 0x4cfa73 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfa73) + #2 0x4cfc61 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfc61) + #3 0x4d8922 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4d8922) + #4 0x42dbab in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x42dbab) + #5 0x4259fb in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4259fb) + #6 0x4bfd1a in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfd1a) + #7 0x5c181a in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #8 0x5c1c76 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #9 0x58e01c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #10 0x58ea90 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #11 0x5f2f84 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #12 0x5f2d62 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7 + #13 0x5f2bab in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #14 0x5eff59 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #15 0x5eefa9 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #16 0x51f08f in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11637:9 + #17 0x4f0f81 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #18 0x7f62fdcf0730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #19 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4213f8) + +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +ERROR: while mapping refs: -5 +checking extentsErrors found in extent allocation tree or chunk allocationfound 3472328296227696688 bytes used err is 0 +total csum bytes: 0 +total tree bytes: 16384 +total fs tree bytes: 4096 +total extent tree bytes: 0 +btree space waste bytes: 12674 +file data blocks allocated: 3472328296227680304 + referenced 3472328296227680304 +extent_io.c:580: free_extent_buffer: Assertion `eb->refs < 0` failed. +../btrfs[0x47a4a3] +../btrfs[0x47a550] +../btrfs(free_extent_buffer+0x6e)[0x47b73c] +../btrfs(btrfs_release_all_roots+0x8c)[0x461cdf] +../btrfs(close_ctree_fs_info+0x1f3)[0x46391a] +../btrfs[0x424043] +../btrfs(cmd_check+0xe1a)[0x43f352] +../btrfs(main+0x12b)[0x40b581] +/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f970daf3291] +../btrfs(_start+0x2a)[0x40afba] diff --git a/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz Binary files differnew file mode 100644 index 00000000..68f7ffd4 --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz diff --git a/tests/fuzz-tests/images/bko-172811.raw.txt b/tests/fuzz-tests/images/bko-172811.raw.txt new file mode 100644 index 00000000..bbdf99b5 --- /dev/null +++ b/tests/fuzz-tests/images/bko-172811.raw.txt @@ -0,0 +1,55 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=172811 +Lukas Lueg 2016-09-23 18:34:15 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +This may be the same cause as 156721, the call-tree is different, though. + +The juicy parts: + +==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0) + #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f) + #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c) + #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2 + #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2 + #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3 + #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +parent transid verify failed on 4198400 wanted 65305493131755520 found 14 +parent transid verify failed on 4198400 wanted 65305493131755520 found 14 +Ignoring transid failure +ERROR: add_tree_backref failed: File exists +ERROR: add_tree_backref failed: File exists +parent transid verify failed on 131072 wanted 36283884678912 found 4 +parent transid verify failed on 131072 wanted 36283884678912 found 4 +Ignoring transid failure +ERROR: tree block bytenr 1280 is not aligned to sectorsize 4096 +checking free space cache +checking fs roots +root 5 root dir 41471 not found +parent transid verify failed on 4198400 wanted 4 found 14 +Ignoring transid failure +parent transid verify failed on 131072 wanted 36283884678912 found 4 +Ignoring transid failure +ASAN:DEADLYSIGNAL +================================================================= +==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0) + #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f) + #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c) + #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2 + #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2 + #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3 + #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV (/lib64/libc.so.6+0x149f4f) in __memmove_avx_unaligned +==19342==ABORTING diff --git a/tests/fuzz-tests/images/bko-172811.raw.xz b/tests/fuzz-tests/images/bko-172811.raw.xz Binary files differnew file mode 100644 index 00000000..08546c2b --- /dev/null +++ b/tests/fuzz-tests/images/bko-172811.raw.xz diff --git a/tests/fuzz-tests/images/bko-172861.raw.txt b/tests/fuzz-tests/images/bko-172861.raw.txt new file mode 100644 index 00000000..f395333f --- /dev/null +++ b/tests/fuzz-tests/images/bko-172861.raw.txt @@ -0,0 +1,68 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=172861 +Lukas Lueg 2016-09-24 15:40:54 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +The juicy parts: + +==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0) + #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 + #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17 + #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9 + #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9 + #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +Extent back ref already exists for 0 parent 0 root 0 +Extent back ref already exists for 0 parent 0 root 0 +Extent back ref already exists for 0 parent 0 root 0 +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +Chunk[256, 228, 7471104]: length(9306112), offset(7471104), type(5) is not found in block group +Chunk[256, 228, 7471104] stripe[1, 7471104] is not found in dev extent +ref mismatch on [0 4096] extent item 0, found 4 +Backref 0 parent 0 root 0 not found in extent tree +Incorrect global backref count on 0 found 1 wanted 4 +backpointer mismatch on [0 4096] +bad extent [0, 4096), type mismatch with chunk +ref mismatch on [135168 4096] extent item 0, found 1 +Backref 135168 parent 3 root 3 not found in extent tree +backpointer mismatch on [135168 4096] +ref mismatch on [4202496 4096] extent item 0, found 1 +Backref 4202496 parent 1 root 1 not found in extent tree +backpointer mismatch on [4202496 4096] +Dev extent's total-byte(0) is not equal to byte-used(16777216) in dev[1, 216, 1] +checking free space cache +checking fs roots +root 5 root dir 0 not found +checking csums +checking root refs +checking quota groups +ASAN:DEADLYSIGNAL +================================================================= +==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0) + #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 + #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17 + #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9 + #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9 + #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 in btrfs_file_extent_type +==12279==ABORTING diff --git a/tests/fuzz-tests/images/bko-172861.raw.xz b/tests/fuzz-tests/images/bko-172861.raw.xz Binary files differnew file mode 100644 index 00000000..c57661d9 --- /dev/null +++ b/tests/fuzz-tests/images/bko-172861.raw.xz |