diff options
Diffstat (limited to 'tests/fuzz-tests')
25 files changed, 558 insertions, 0 deletions
diff --git a/tests/fuzz-tests/001-simple-unmounted/test.sh b/tests/fuzz-tests/001-simple-unmounted/test.sh new file mode 100755 index 00000000..bf01a3a4 --- /dev/null +++ b/tests/fuzz-tests/001-simple-unmounted/test.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# iterate over all fuzzed images and run 'btrfs check' + +source $TOP/tests/common + +setup_root_helper +check_prereq btrfs + +# redefine the one provided by common +check_image() { + local image + + image=$1 + run_mayfail $TOP/btrfs check "$image" +} + +check_all_images $TOP/tests/fuzz-tests/images + +exit 0 diff --git a/tests/fuzz-tests/images/bad-superblock-1.raw.xz b/tests/fuzz-tests/images/bad-superblock-1.raw.xz Binary files differnew file mode 100644 index 00000000..3d6358f0 --- /dev/null +++ b/tests/fuzz-tests/images/bad-superblock-1.raw.xz diff --git a/tests/fuzz-tests/images/bad-superblock-2.raw.xz b/tests/fuzz-tests/images/bad-superblock-2.raw.xz Binary files differnew file mode 100644 index 00000000..7db7610b --- /dev/null +++ b/tests/fuzz-tests/images/bad-superblock-2.raw.xz diff --git a/tests/fuzz-tests/images/bad-superblock-3.raw.xz b/tests/fuzz-tests/images/bad-superblock-3.raw.xz Binary files differnew file mode 100644 index 00000000..4aa31483 --- /dev/null +++ b/tests/fuzz-tests/images/bad-superblock-3.raw.xz diff --git a/tests/fuzz-tests/images/bad-superblock.txt b/tests/fuzz-tests/images/bad-superblock.txt new file mode 100644 index 00000000..f7dd9aa0 --- /dev/null +++ b/tests/fuzz-tests/images/bad-superblock.txt @@ -0,0 +1,17 @@ +bad-superblock-*.txt + +Crafted images from Jiri Slaby, produced by some symbolic execution framework +that finds unhandled cases at mount time. + +Relevant kernel patches to backport: + +e3540eab29e1b2260bc4b9b3979a49a00e3e3af8 +btrfs: add more checks to btrfs_read_sys_array + +ce7fca5f57ed0fcd7e7b3d7b1a3e1791f8e56fa3 +btrfs: add checks for sys_chunk_array sizes + +75d6ad382bb91f363452119d34238e156589ca2d +btrfs: more superblock checks, lower bounds on devices and sectorsize/nodesize + +(and more from fs/btrfs/super.c) diff --git a/tests/fuzz-tests/images/bko-104131-fsck-oob-read.raw.xz b/tests/fuzz-tests/images/bko-104131-fsck-oob-read.raw.xz Binary files differnew file mode 100644 index 00000000..7848f8b1 --- /dev/null +++ b/tests/fuzz-tests/images/bko-104131-fsck-oob-read.raw.xz diff --git a/tests/fuzz-tests/images/bko-104131-fsck-oob-read.txt b/tests/fuzz-tests/images/bko-104131-fsck-oob-read.txt new file mode 100644 index 00000000..0e829c2e --- /dev/null +++ b/tests/fuzz-tests/images/bko-104131-fsck-oob-read.txt @@ -0,0 +1,31 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=104131 +Hanno Boeck 2015-09-07 07:24:32 UTC + +Created attachment 186941 [details] +malformed btrfs filesystem causing oob read + +The attached malformed filesystem image will cause an invalid heap out of bounds memory read in btrfsck. + +This was found while fuzzing btrfs-progs with american fuzzy lop. + +Stack trace from Address Sanitizer: +==31289==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f00000f003 at pc 0x0000005d0dbb bp 0x7ffdf444c180 sp 0x7ffdf444c178 +READ of size 8 at 0x60f00000f003 thread T0 + #0 0x5d0dba in btrfs_header_bytenr /mnt/ram/btrfs-progs-v4.1.2/./ctree.h:1797:1 + #1 0x5d0dba in check_tree_block /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:60 + #2 0x5d0dba in read_tree_block /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:337 + #3 0x5dc00e in btrfs_setup_chunk_tree_and_device_map /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:1169:30 + #4 0x5dcf89 in __open_ctree_fd /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:1261:8 + #5 0x5dc50a in open_ctree_fs_info /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:1302:9 + #6 0x52f22f in cmd_check /mnt/ram/btrfs-progs-v4.1.2/cmds-check.c:9333:9 + #7 0x4e7bcc in main /mnt/ram/btrfs-progs-v4.1.2/btrfs.c:245:7 + #8 0x7f98bb101f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289 + #9 0x41f748 in _start (/mnt/ram/btrfs/btrfs+0x41f748) + +0x60f00000f003 is located 3 bytes to the right of 176-byte region [0x60f00000ef50,0x60f00000f000) +allocated by thread T0 here: + #0 0x4bade8 in malloc (/mnt/ram/btrfs/btrfs+0x4bade8) + #1 0x622c24 in __alloc_extent_buffer /mnt/ram/btrfs-progs-v4.1.2/extent_io.c:541:7 + #2 0x622c24 in alloc_extent_buffer /mnt/ram/btrfs-progs-v4.1.2/extent_io.c:648 + #3 0x5cf436 in btrfs_find_create_tree_block /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:186:9 + #4 0x5cf436 in read_tree_block /mnt/ram/btrfs-progs-v4.1.2/disk-io.c:314 diff --git a/tests/fuzz-tests/images/bko-104141-fsck-exception.raw.xz b/tests/fuzz-tests/images/bko-104141-fsck-exception.raw.xz Binary files differnew file mode 100644 index 00000000..d24a32f8 --- /dev/null +++ b/tests/fuzz-tests/images/bko-104141-fsck-exception.raw.xz diff --git a/tests/fuzz-tests/images/bko-104141-fsck-exception.txt b/tests/fuzz-tests/images/bko-104141-fsck-exception.txt new file mode 100644 index 00000000..aed91909 --- /dev/null +++ b/tests/fuzz-tests/images/bko-104141-fsck-exception.txt @@ -0,0 +1,9 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=104141 +Hanno Boeck 2015-09-07 07:27:58 UTC + +Created attachment 186951 [details] +malformed filesystem causing floating point exception + +The attacked file will cause a floating point exception in btrfsck. + +This was found while fuzzing btrfs-progs with american fuzzy lop. diff --git a/tests/fuzz-tests/images/bko-96971-btrfs-image.raw.xz b/tests/fuzz-tests/images/bko-96971-btrfs-image.raw.xz Binary files differnew file mode 100644 index 00000000..21aa33b0 --- /dev/null +++ b/tests/fuzz-tests/images/bko-96971-btrfs-image.raw.xz diff --git a/tests/fuzz-tests/images/bko-96971-btrfs-image.txt b/tests/fuzz-tests/images/bko-96971-btrfs-image.txt new file mode 100644 index 00000000..ff85540d --- /dev/null +++ b/tests/fuzz-tests/images/bko-96971-btrfs-image.txt @@ -0,0 +1,69 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=96971 + Lukas Lueg 2015-04-20 23:01:44 UTC + +I've identified some problems in the btrfs code and attached a btrfs-image +which causes the userland tools to crash and the kernel to immediately freeze +once the filesystem get's mounted and one of the files is accessed. Putting +the image onto a usb-drive gives you a freeze-on-a-stick :-) + +"btrfs check" crashes due to a SIGFPE in count_csum_range(). The culprit is +struct btrfs_root->fs_info->super_copy->csum_size being 0, which goes +unchecked before entering a division. I was not able to identify where the +kernel crashes (system goes down the tubes), yet the problem is probably the +same. + +"btrfs version" is v3.19.1; bug is also present in latest git (kdave and +unstable) as of 2015/04/21 + + +Full gdb output: + +gdb btrfs +GNU gdb (GDB) Fedora 7.8.2-38.fc21 +Copyright (C) 2014 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. Type "show copying" +and "show warranty" for details. +This GDB was configured as "x86_64-redhat-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +<http://www.gnu.org/software/gdb/bugs/>. +Find the GDB manual and other documentation resources online at: +<http://www.gnu.org/software/gdb/documentation/>. +For help, type "help". +Type "apropos word" to search for commands related to "word"... +Reading symbols from btrfs...Reading symbols from /usr/lib/debug/usr/sbin/btrfs.debug...done. +done. +(gdb) run check btrfs_fukked.bin +Starting program: /usr/sbin/btrfs check btrfs_fukked.bin +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +Checking filesystem on btrfs_fukked.bin +UUID: cdd8684f-9eb1-40a4-91ec-1ed7c3cb444c +checking extents +checking free space cache +checking fs roots + +Program received signal SIGFPE, Arithmetic exception. +count_csum_range (root=<optimized out>, root=<optimized out>, + found=<synthetic pointer>, len=7385088, start=7471104) at cmds-check.c:1455 +1455 csum_end = key.offset + (size / csum_size) * root->sectorsize; +(gdb) bt +#0 count_csum_range (root=<optimized out>, root=<optimized out>, + found=<synthetic pointer>, len=7385088, start=7471104) at cmds-check.c:1455 +#1 process_file_extent (active_node=0x7fffffffd710, key=0x7fffffffd680, + slot=11, eb=<optimized out>, root=0x894b10) at cmds-check.c:1551 +#2 process_one_leaf (wc=0x7fffffffd6c0, eb=<optimized out>, root=0x894b10) + at cmds-check.c:1617 +#3 walk_down_tree (level=<synthetic pointer>, wc=0x7fffffffd6c0, + path=0x7fffffffd7f0, root=0x894b10) at cmds-check.c:1742 +#4 check_fs_root (wc=0x7fffffffd6c0, root_cache=0x7fffffffdb20, root=0x894b10) + at cmds-check.c:3380 +#5 check_fs_roots (root_cache=root_cache@entry=0x7fffffffdb20, root=0x894b10) + at cmds-check.c:3516 +#6 0x0000000000428aea in cmd_check (argc=<optimized out>, + argv=<optimized out>) at cmds-check.c:9465 +#7 0x000000000040e5a2 in main (argc=2, argv=0x7fffffffdeb0) at btrfs.c:245 +(gdb) p csum_size +$2 = 0 diff --git a/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.txt b/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.txt new file mode 100644 index 00000000..f0d81894 --- /dev/null +++ b/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.txt @@ -0,0 +1,137 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=97191 +Lukas Lueg 2015-04-23 22:20:35 UTC + +Running btrfs-progs v3.19.1 + +The btrfs-image attached to this bug causes the btrfs-userland tool to +overflow some data structures, leading to unallocated memory being written to +and read from. A segfault results shortly after. Reproduced on x86-64 and +i686. + +The kernel seems to be less affected and fails to mount the image. I didn't +investigate whether the reads/writes could be used to gain control over $EIP. +Since the first invalid write of 8 bytes seems to run into adjacent heap +blocks (crash in unlink()), it may be possible though. + +gdb output: + +Program received signal SIGSEGV, Segmentation fault. +malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151 +4151 unlink(av, p, bck, fwd); +(gdb) bt +#0 malloc_consolidate (av=av@entry=0x32629b7cc0 <main_arena>) at malloc.c:4151 +#1 0x0000003262680628 in _int_malloc (av=av@entry=0x32629b7cc0 <main_arena>, bytes=bytes@entry=4224) at malloc.c:3420 +#2 0x000000326268315e in __GI___libc_malloc (bytes=4224) at malloc.c:2896 +#3 0x0000000000449d15 in __alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:541 +#4 0x000000000044a8b4 in alloc_extent_buffer (tree=0x88c078, bytenr=4288512, blocksize=4096) at extent_io.c:648 +#5 0x000000000043b1a0 in btrfs_find_create_tree_block (root=root@entry=0x895840, bytenr=<optimized out>, + blocksize=<optimized out>) at disk-io.c:159 +#6 0x000000000043ca4e in read_tree_block (root=root@entry=0x895840, bytenr=<optimized out>, blocksize=<optimized out>, + parent_transid=13) at disk-io.c:287 +#7 0x000000000043ccb7 in find_and_setup_root (tree_root=0x88c250, fs_info=<optimized out>, objectid=5, root=0x895840) + at disk-io.c:557 +#8 0x000000000043ce92 in btrfs_read_fs_root_no_cache (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960) + at disk-io.c:640 +#9 0x000000000043d060 in btrfs_read_fs_root (fs_info=fs_info@entry=0x88c010, location=location@entry=0x7fffffffd960) + at disk-io.c:739 +#10 0x000000000043d48c in btrfs_setup_all_roots (fs_info=fs_info@entry=0x88c010, root_tree_bytenr=<optimized out>, + root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:988 +#11 0x000000000043d802 in __open_ctree_fd (fp=fp@entry=3, path=path@entry=0x7fffffffe20d "ramdisk/btrfs_fukked.bin", + sb_bytenr=65536, sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) + at disk-io.c:1199 +#12 0x000000000043d965 in open_ctree_fs_info (filename=0x7fffffffe20d "ramdisk/btrfs_fukked.bin", sb_bytenr=sb_bytenr@entry=0, + root_tree_bytenr=root_tree_bytenr@entry=0, flags=flags@entry=OPEN_CTREE_EXCLUSIVE) at disk-io.c:1231 +#13 0x0000000000427bf5 in cmd_check (argc=1, argv=0x7fffffffdea0) at cmds-check.c:9326 +#14 0x000000000040e5a2 in main (argc=2, argv=0x7fffffffdea0) at btrfs.c:245 + + +valgrind output: + +==32463== Memcheck, a memory error detector +==32463== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. +==32463== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info +==32463== Command: btrfs check ramdisk/btrfs_fukked.bin +==32463== +==32463== Invalid write of size 8 +==32463== at 0x4386FB: btrfs_search_slot (ctree.c:1119) +==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) +==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== Address 0x4c409f0 is 16 bytes after a block of size 144 alloc'd +==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== +==32463== Invalid read of size 8 +==32463== at 0x436E70: check_block.part.14 (ctree.c:548) +==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) +==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) +==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) +==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== Address 0x4c409f8 is 24 bytes after a block of size 144 in arena "client" +==32463== +==32463== Invalid read of size 4 +==32463== at 0x436E84: UnknownInlinedFun (ctree.h:1605) +==32463== by 0x436E84: UnknownInlinedFun (ctree.h:1612) +==32463== by 0x436E84: check_block.part.14 (ctree.c:550) +==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) +==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) +==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) +==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== Address 0x4c409e4 is 4 bytes after a block of size 144 alloc'd +==32463== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==32463== by 0x4427AB: btrfs_read_block_groups (extent-tree.c:3162) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== +==32463== Invalid read of size 1 +==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613) +==32463== by 0x436E99: check_block.part.14 (ctree.c:550) +==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) +==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) +==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) +==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) +==32463== Address 0x1b1 is not stack'd, malloc'd or (recently) free'd +==32463== +==32463== +==32463== Process terminating with default action of signal 11 (SIGSEGV) +==32463== Access not within mapped region at address 0x1B1 +==32463== at 0x4A0B3A0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==32463== by 0x436E99: UnknownInlinedFun (ctree.h:1613) +==32463== by 0x436E99: check_block.part.14 (ctree.c:550) +==32463== by 0x438954: UnknownInlinedFun (kerncompat.h:91) +==32463== by 0x438954: btrfs_search_slot (ctree.c:1120) +==32463== by 0x4427F7: UnknownInlinedFun (extent-tree.c:3117) +==32463== by 0x4427F7: btrfs_read_block_groups (extent-tree.c:3167) +==32463== by 0x43D4F2: btrfs_setup_all_roots (disk-io.c:983) +==32463== by 0x43D801: __open_ctree_fd (disk-io.c:1199) +==32463== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==32463== by 0x427BF4: cmd_check (cmds-check.c:9326) +==32463== by 0x40E5A1: main (btrfs.c:245) diff --git a/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.xz b/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.xz Binary files differnew file mode 100644 index 00000000..b2e48c08 --- /dev/null +++ b/tests/fuzz-tests/images/bko-97191-btrfs-image.raw.xz diff --git a/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.txt b/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.txt new file mode 100644 index 00000000..67f20968 --- /dev/null +++ b/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.txt @@ -0,0 +1,54 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=97271 +Lukas Lueg 2015-04-25 20:34:39 UTC + +The attached btrfs-image causes "btrfs check" to write outside of allocated +memory locations and ultimately die due to a segfault. An adjacent heap block's +control structure is overwritten with a `struct extent_buffer *`, which is not +controllable by the user. + +"btrfs version" is v3.19.1. Running "btrfs check" immediately dies with + +*** Error in `btrfs': double free or corruption (!prev): 0x0000000002396ec0 *** +*** Error in `btrfs': malloc(): memory corruption: 0x0000000002396f60 *** + +Debugging with valgrind and gdb gives + +==11670== Invalid write of size 8 +==11670== at 0x4386FB: btrfs_search_slot (ctree.c:1119) +==11670== by 0x44E16E: btrfs_read_chunk_tree (volumes.c:1814) +==11670== by 0x43D654: btrfs_setup_chunk_tree_and_device_map (disk-io.c:1115) +==11670== by 0x43D7D0: __open_ctree_fd (disk-io.c:1190) +==11670== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==11670== by 0x427BF4: cmd_check (cmds-check.c:9326) +==11670== by 0x40E5A1: main (btrfs.c:245) +==11670== Address 0x4c3bb98 is 8 bytes after a block of size 144 alloc'd +==11670== at 0x4A08946: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==11670== by 0x44E133: btrfs_read_chunk_tree (volumes.c:1801) +==11670== by 0x43D654: btrfs_setup_chunk_tree_and_device_map (disk-io.c:1115) +==11670== by 0x43D7D0: __open_ctree_fd (disk-io.c:1190) +==11670== by 0x43D964: open_ctree_fs_info (disk-io.c:1231) +==11670== by 0x427BF4: cmd_check (cmds-check.c:9326) +==11670== by 0x40E5A1: main (btrfs.c:245) + +Program received signal SIGTRAP, Trace/breakpoint trap. +btrfs_search_slot (trans=trans@entry=0x0, root=root@entry=0x4c36d30, key=key@entry=0xffefff830, p=p@entry=0x4c3bb00, + ins_len=ins_len@entry=0, cow=cow@entry=0) at ctree.c:1119 +1119 p->nodes[level] = b; +(gdb) p p->nodes +$1 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0} +(gdb) p p +$2 = (struct btrfs_path *) 0x4c3bb00 +(gdb) p b +$3 = (struct extent_buffer *) 0x4c3a990 + + +The corresponding part in ctree.c:btrfs_search_slot() seems to fail to check if `level` overflows outside of `node`: + +level = btrfs_header_level(b); +... +if (level != btrfs_header_level(b)) + WARN_ON(1); +level = btrfs_header_level(b); +p->nodes[level] = b; // <- Illegal write + +Maybe the repeated calls to btrfs_header_level() were meant to do something once, they seem to be noise. diff --git a/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.xz b/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.xz Binary files differnew file mode 100644 index 00000000..3c79edb5 --- /dev/null +++ b/tests/fuzz-tests/images/bko-97271-btrfs-image.raw.xz diff --git a/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.txt b/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.txt new file mode 100644 index 00000000..80e073f6 --- /dev/null +++ b/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.txt @@ -0,0 +1,32 @@ +[ 125.415910] BTRFS info (device loop0): disk space caching is enabled +[ 125.550479] ------------[ cut here ]------------ +[ 125.551145] WARNING: CPU: 6 PID: 1496 at fs/btrfs/locking.c:251 btrfs_tree_lock+0x22e/0x250 +[ 125.552292] Modules linked in: +[ 125.552602] CPU: 6 PID: 1496 Comm: btrfs.exe Tainted: G W 4.6.0-rc5 #130 +[ 125.553138] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 +[ 125.553775] 0000000000000286 000000009b4bdd50 ffff88006a7478e0 ffffffff8157e563 +[ 125.554299] 0000000000000000 0000000000000000 ffff88006a747920 ffffffff810a74ab +[ 125.554825] 000000fb8146c531 ffff88006bfec460 ffff88006bc63000 0000000000000000 +[ 125.555373] Call Trace: +[ 125.555545] [<ffffffff8157e563>] dump_stack+0x85/0xc2 +[ 125.555892] [<ffffffff810a74ab>] __warn+0xcb/0xf0 +[ 125.556226] [<ffffffff810a75dd>] warn_slowpath_null+0x1d/0x20 +[ 125.556654] [<ffffffff814871ee>] btrfs_tree_lock+0x22e/0x250 +[ 125.557041] [<ffffffff81423831>] btrfs_init_new_buffer+0x81/0x160 +[ 125.557458] [<ffffffff8143472a>] btrfs_alloc_tree_block+0x22a/0x430 +[ 125.557883] [<ffffffff8141ae61>] __btrfs_cow_block+0x141/0x590 +[ 125.558279] [<ffffffff8141b44f>] btrfs_cow_block+0x11f/0x1f0 +[ 125.558666] [<ffffffff8141f09e>] btrfs_search_slot+0x1fe/0xa30 +[ 125.559063] [<ffffffff81247c9d>] ? kmem_cache_alloc+0xfd/0x240 +[ 125.559482] [<ffffffff8143b1f0>] btrfs_del_inode_ref+0x80/0x380 +[ 125.559884] [<ffffffff8148e11a>] ? btrfs_del_inode_ref_in_log+0x8a/0x160 +[ 125.560340] [<ffffffff8148e14d>] btrfs_del_inode_ref_in_log+0xbd/0x160 +[ 125.560776] [<ffffffff814507f7>] __btrfs_unlink_inode+0x1d7/0x470 +[ 125.561188] [<ffffffff814567a7>] btrfs_rename2+0x327/0x790 +[ 125.561568] [<ffffffff8127b398>] vfs_rename+0x4d8/0x840 +[ 125.561928] [<ffffffff81281b21>] SyS_rename+0x371/0x390 +[ 125.562289] [<ffffffff819cfd3c>] entry_SYSCALL_64_fastpath+0x1f/0xbd +[ 125.562743] ---[ end trace 3b751f511705fb90 ]--- + +--------------------------------------------------------------------------- +Fixed by patch: diff --git a/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.xz b/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.xz Binary files differnew file mode 100644 index 00000000..f8b3bf54 --- /dev/null +++ b/tests/fuzz-tests/images/superblock-stripsize-bogus.raw.xz diff --git a/tests/fuzz-tests/images/superblock-total-bytes-0.raw.txt b/tests/fuzz-tests/images/superblock-total-bytes-0.raw.txt new file mode 100644 index 00000000..d5e1f936 --- /dev/null +++ b/tests/fuzz-tests/images/superblock-total-bytes-0.raw.txt @@ -0,0 +1,50 @@ +[342246.846031] BTRFS info (device loop0): disk space caching is enabled +[342246.862115] ------------[ cut here ]------------ +[342246.862500] kernel BUG at fs/btrfs/inode.c:978! +[342246.862861] invalid opcode: 0000 [#1] SMP +[342246.863176] Modules linked in: +[342246.863410] CPU: 2 PID: 14504 Comm: btrfs.exe Tainted: G W 4.6.0-rc5 #130 +[342246.864010] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 +[342246.864674] task: ffff88006fdf0000 ti: ffff8800702e0000 task.ti: ffff8800702e0000 +[342246.865186] RIP: 0010:[<ffffffff8144e9c7>] [<ffffffff8144e9c7>] cow_file_range+0x3f7/0x440 +[342246.865770] RSP: 0018:ffff8800702e39e0 EFLAGS: 00010206 +[342246.866157] RAX: ffff88006bb23000 RBX: 0000000000000001 RCX: 0000000000010000 +[342246.866687] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000010000 +[342246.867191] RBP: ffff8800702e3a70 R08: 0000000000000000 R09: 0000000000000000 +[342246.867682] R10: 000000000000ffff R11: 0000000000010000 R12: ffff8800702e3bc0 +[342246.868170] R13: ffff8800702e3b3c R14: 0000000000000000 R15: ffff880075369c10 +[342246.868660] FS: 00007f96f5a38700(0000) GS:ffff88007ca00000(0000) knlGS:0000000000000000 +[342246.869212] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[342246.869642] CR2: 000000000060f4bf CR3: 000000006fc9f000 CR4: 00000000000006e0 +[342246.870146] Stack: +[342246.870295] 0000000000000000 0000000000000001 000000000000ffff ffffea00010c08c0 +[342246.870838] ffff8800753698e8 0000000000010000 ffff88006fe0f000 000000000000ffff +[342246.871397] 000000000000ffff ffffffff814683e5 ffff8800753698c8 ffff8800753698e8 +[342246.871944] Call Trace: +[342246.872124] [<ffffffff814683e5>] ? test_range_bit+0xe5/0x130 +[342246.872522] [<ffffffff8144f906>] run_delalloc_range+0x396/0x3d0 +[342246.872975] [<ffffffff8146873f>] writepage_delalloc.isra.42+0x10f/0x170 +[342246.873437] [<ffffffff8146a674>] __extent_writepage+0xf4/0x370 +[342246.873848] [<ffffffff8146abf4>] extent_write_cache_pages.isra.39.constprop.57+0x304/0x3f0 +[342246.874419] [<ffffffff8146beec>] extent_writepages+0x5c/0x90 +[342246.874818] [<ffffffff8144c870>] ? btrfs_real_readdir+0x5f0/0x5f0 +[342246.875245] [<ffffffff814498f8>] btrfs_writepages+0x28/0x30 +[342246.875641] [<ffffffff811ebc61>] do_writepages+0x21/0x30 +[342246.876031] [<ffffffff811dc1a6>] __filemap_fdatawrite_range+0xc6/0x100 +[342246.876487] [<ffffffff811dc2b3>] filemap_fdatawrite_range+0x13/0x20 +[342246.876949] [<ffffffff8145eae0>] btrfs_fdatawrite_range+0x20/0x50 +[342246.877375] [<ffffffff8145eb29>] start_ordered_ops+0x19/0x30 +[342246.877774] [<ffffffff8145ebc2>] btrfs_sync_file+0x82/0x3f0 +[342246.878166] [<ffffffff810fb717>] ? update_fast_ctr+0x17/0x30 +[342246.878564] [<ffffffff812a848b>] vfs_fsync_range+0x4b/0xb0 +[342246.878987] [<ffffffff8128fce6>] ? __fget_light+0x66/0x90 +[342246.879368] [<ffffffff812a854d>] do_fsync+0x3d/0x70 +[342246.879708] [<ffffffff812a8823>] SyS_fdatasync+0x13/0x20 +[342246.880099] [<ffffffff819cfd3c>] entry_SYSCALL_64_fastpath+0x1f/0xbd +[342246.880554] Code: 03 00 00 48 c7 c7 00 b3 c9 81 c6 05 54 b6 b1 00 01 e8 0e 8c c5 ff e9 e5 fe ff ff 49 8b 57 40 e9 c0 fe ff ff bb f4 ff ff ff eb a1 <0f> 0b 48 8b 55 80 41 b9 0f 00 00 00 41 b8 68 00 00 00 31 c9 31 +[342246.882394] RIP [<ffffffff8144e9c7>] cow_file_range+0x3f7/0x440 +[342246.882810] RSP <ffff8800702e39e0> +[342246.883076] ---[ end trace 094193b6df6e45e7 ]--- + +-------------------------------------------------------- +Fixed by patch: diff --git a/tests/fuzz-tests/images/superblock-total-bytes-0.raw.xz b/tests/fuzz-tests/images/superblock-total-bytes-0.raw.xz Binary files differnew file mode 100644 index 00000000..4b25020e --- /dev/null +++ b/tests/fuzz-tests/images/superblock-total-bytes-0.raw.xz diff --git a/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.txt b/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.txt new file mode 100644 index 00000000..bdde4e70 --- /dev/null +++ b/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.txt @@ -0,0 +1,30 @@ +URL: http://article.gmane.org/gmane.comp.file-systems.btrfs/50230 +Vegard Nossum, 2015-11-15 + +If sys_array::num_stripes == 0, we hit a BUG_ON during mount: + +BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0 +BTRFS info (device loop0): disk space caching is enabled +BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()! +Kernel panic - not syncing: BUG! +CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25 +Stack: + 637af890 60062489 602aeb2e 604192ba + 60387961 00000011 637af8a0 6038a835 + 637af9c0 6038776b 634ef32b 00000000 +Call Trace: + [<6001c86d>] show_stack+0xfe/0x15b + [<6038a835>] dump_stack+0x2a/0x2c + [<6038776b>] panic+0x13e/0x2b3 + [<6020f099>] btrfs_read_sys_array+0x25d/0x2ff + [<601cfbbe>] open_ctree+0x192d/0x27af + [<6019c2c1>] btrfs_mount+0x8f5/0xb9a + [<600bc9a7>] mount_fs+0x11/0xf3 + [<600d5167>] vfs_kern_mount+0x75/0x11a + [<6019bcb0>] btrfs_mount+0x2e4/0xb9a + [<600bc9a7>] mount_fs+0x11/0xf3 + [<600d5167>] vfs_kern_mount+0x75/0x11a + [<600d710b>] do_mount+0xa35/0xbc9 + [<600d7557>] SyS_mount+0x95/0xc8 + +Fixed by patch (kernel and btrfs-progs): btrfs: handle invalid num_stripes in sys_array diff --git a/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.xz b/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.xz Binary files differnew file mode 100644 index 00000000..d64fb300 --- /dev/null +++ b/tests/fuzz-tests/images/sys-array-num-stripes-0.raw.xz diff --git a/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.txt b/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.txt new file mode 100644 index 00000000..d3dcb0a4 --- /dev/null +++ b/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.txt @@ -0,0 +1,54 @@ +[ 135.166891] BTRFS info (device loop0): disk space caching is enabled +[ 135.169199] divide error: 0000 [#1] SMP +[ 135.169581] Modules linked in: +[ 135.169819] CPU: 2 PID: 1512 Comm: btrfs.exe Tainted: G W 4.6.0-rc5 #130 +[ 135.170285] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 +[ 135.170958] task: ffff880074925180 ti: ffff880077fa4000 task.ti: ffff880077fa4000 +[ 135.171583] RIP: 0010:[<ffffffff81475ba0>] [<ffffffff81475ba0>] __btrfs_map_block+0xc0/0x11b0 +[ 135.172096] RSP: 0000:ffff880077fa77b0 EFLAGS: 00010206 +[ 135.172374] RAX: 0000000000020000 RBX: 0000000000020000 RCX: 0000000000000000 +[ 135.172754] RDX: 0000000000000000 RSI: 0000000000400000 RDI: ffff880076258270 +[ 135.173143] RBP: ffff880077fa7898 R08: 0000000000400000 R09: 0000000000000000 +[ 135.173523] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 +[ 135.173916] R13: ffff880076258270 R14: ffff880077fa78e0 R15: ffff88006bb3b000 +[ 135.174290] FS: 00007fd8267dc700(0000) GS:ffff88007ca00000(0000) knlGS:0000000000000000 +[ 135.174718] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 135.175019] CR2: 00007ffe9c378df7 CR3: 0000000078788000 CR4: 00000000000006e0 +[ 135.175392] Stack: +[ 135.175503] ffff88007cbe2c40 0000000000000000 ffff88007cbe2c50 ffff880074925180 +[ 135.175924] ffff880074926560 ffff880074925180 0000000200000000 0000000000000000 +[ 135.176340] ffffffffffffffff 0007ffffffffffff ffffffff8143eb18 0240004000000000 +[ 135.176778] Call Trace: +[ 135.176913] [<ffffffff8143eb18>] ? btrfs_bio_wq_end_io+0x28/0x70 +[ 135.177234] [<ffffffff81477218>] btrfs_map_bio+0x88/0x350 +[ 135.177522] [<ffffffff8143eb18>] ? btrfs_bio_wq_end_io+0x28/0x70 +[ 135.177960] [<ffffffff8143ed9d>] btree_submit_bio_hook+0x6d/0x110 +[ 135.178410] [<ffffffff81464d1d>] submit_one_bio+0x6d/0xa0 +[ 135.178814] [<ffffffff8146d6f1>] read_extent_buffer_pages+0x1c1/0x350 +[ 135.179276] [<ffffffff8143cd60>] ? free_root_pointers+0x70/0x70 +[ 135.179708] [<ffffffff8143e12c>] btree_read_extent_buffer_pages.constprop.55+0xac/0x110 +[ 135.180261] [<ffffffff8143f036>] read_tree_block+0x36/0x60 +[ 135.180647] [<ffffffff81443b52>] open_ctree+0x17a2/0x2900 +[ 135.181027] [<ffffffff81417225>] btrfs_mount+0xd05/0xe60 +[ 135.181400] [<ffffffff819cd15a>] ? __mutex_unlock_slowpath+0xfa/0x1c0 +[ 135.181850] [<ffffffff810fd3e4>] ? lockdep_init_map+0x64/0x710 +[ 135.182241] [<ffffffff81272918>] mount_fs+0x38/0x170 +[ 135.182609] [<ffffffff81292b7b>] vfs_kern_mount+0x6b/0x150 +[ 135.182998] [<ffffffff814166e6>] btrfs_mount+0x1c6/0xe60 +[ 135.183372] [<ffffffff819cd15a>] ? __mutex_unlock_slowpath+0xfa/0x1c0 +[ 135.183825] [<ffffffff810fd3e4>] ? lockdep_init_map+0x64/0x710 +[ 135.184233] [<ffffffff81272918>] mount_fs+0x38/0x170 +[ 135.184583] [<ffffffff81292b7b>] vfs_kern_mount+0x6b/0x150 +[ 135.184971] [<ffffffff812958c6>] do_mount+0x256/0xeb0 +[ 135.185318] [<ffffffff8124bb33>] ? __kmalloc_track_caller+0x113/0x290 +[ 135.185759] [<ffffffff812b0b63>] ? block_ioctl+0x43/0x50 +[ 135.186124] [<ffffffff811ff023>] ? memdup_user+0x53/0x80 +[ 135.186488] [<ffffffff81296865>] SyS_mount+0x95/0xe0 +[ 135.186877] [<ffffffff819cfd3c>] entry_SYSCALL_64_fastpath+0x1f/0xbd +[ 135.187308] Code: 8b 70 20 4c 8d 04 31 4c 39 c3 0f 87 2f 0b 00 00 48 8b 45 a8 49 89 dc 31 d2 49 29 cc 48 8b 40 70 48 63 48 10 48 89 45 a0 4c 89 e0 <48> f7 f1 49 89 cf 48 89 45 b8 48 0f af c1 49 39 c4 0f 82 c3 0a +[ 135.189097] RIP [<ffffffff81475ba0>] __btrfs_map_block+0xc0/0x11b0 +[ 135.189527] RSP <ffff880077fa77b0> +[ 135.189819] ---[ end trace ea21fae64670799a ]--- + +--------------------------------------------------------------------------- +Fixed by patch: diff --git a/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.xz b/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.xz Binary files differnew file mode 100644 index 00000000..57d2a72f --- /dev/null +++ b/tests/fuzz-tests/images/sys-chunk-stripe-len-bogus.raw.xz diff --git a/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.txt b/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.txt new file mode 100644 index 00000000..2559924d --- /dev/null +++ b/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.txt @@ -0,0 +1,55 @@ +[ 145.676440] BTRFS error (device loop0): bad tree block start 0 131072 +[ 145.677032] ------------[ cut here ]------------ +[ 145.677307] kernel BUG at fs/btrfs/raid56.c:2142! +[ 145.677627] invalid opcode: 0000 [#1] SMP +[ 145.677955] Modules linked in: +[ 145.678182] CPU: 3 PID: 1538 Comm: btrfs.exe Tainted: G W 4.6.0-rc5 #130 +[ 145.678734] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 +[ 145.679402] task: ffff88006c830000 ti: ffff88006fc74000 task.ti: ffff88006fc74000 +[ 145.679919] RIP: 0010:[<ffffffff814c5794>] [<ffffffff814c5794>] raid56_parity_recover+0xc4/0x160 +[ 145.680514] RSP: 0018:ffff88006fc77868 EFLAGS: 00010286 +[ 145.680865] RAX: ffff88006f725280 RBX: ffff880070ba0a68 RCX: 0000000000020000 +[ 145.681373] RDX: 0000000000000100 RSI: 00000000ffffffff RDI: ffffffff831229e8 +[ 145.681866] RBP: ffff88006fc77898 R08: 0000000000010000 R09: ffff8800768ff400 +[ 145.682380] R10: ffff88007c003180 R11: 0000000000030000 R12: ffff88006f725280 +[ 145.682870] R13: ffff88007b449000 R14: 0000000000000001 R15: ffff8800768ff400 +[ 145.683363] FS: 00007f68b95a8700(0000) GS:ffff88007cc00000(0000) knlGS:0000000000000000 +[ 145.683941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 145.684340] CR2: 00007fff0d130f98 CR3: 000000006bfd7000 CR4: 00000000000006e0 +[ 145.684832] Stack: +[ 145.684977] 00000002e6816dd1 ffff880070ba0a68 ffff88007b449000 0000000000000001 +[ 145.685541] 0000000000020000 0000000000000002 ffff88006fc77920 ffffffff814773cd +[ 145.686082] ffff880000000001 0000000002400040 ffff88006fc778f8 0000000081247c9d +[ 145.686654] Call Trace: +[ 145.686831] [<ffffffff814773cd>] btrfs_map_bio+0x23d/0x350 +[ 145.687217] [<ffffffff8143ed9d>] btree_submit_bio_hook+0x6d/0x110 +[ 145.687649] [<ffffffff81464d1d>] submit_one_bio+0x6d/0xa0 +[ 145.688028] [<ffffffff8146d6f1>] read_extent_buffer_pages+0x1c1/0x350 +[ 145.688501] [<ffffffff8143cd60>] ? free_root_pointers+0x70/0x70 +[ 145.688916] [<ffffffff8143e12c>] btree_read_extent_buffer_pages.constprop.55+0xac/0x110 +[ 145.689474] [<ffffffff8143f036>] read_tree_block+0x36/0x60 +[ 145.689861] [<ffffffff81443b52>] open_ctree+0x17a2/0x2900 +[ 145.690242] [<ffffffff81417225>] btrfs_mount+0xd05/0xe60 +[ 145.690623] [<ffffffff819cd15a>] ? __mutex_unlock_slowpath+0xfa/0x1c0 +[ 145.691064] [<ffffffff810fd3e4>] ? lockdep_init_map+0x64/0x710 +[ 145.691510] [<ffffffff81272918>] mount_fs+0x38/0x170 +[ 145.691852] [<ffffffff81292b7b>] vfs_kern_mount+0x6b/0x150 +[ 145.692227] [<ffffffff814166e6>] btrfs_mount+0x1c6/0xe60 +[ 145.692594] [<ffffffff819cd15a>] ? __mutex_unlock_slowpath+0xfa/0x1c0 +[ 145.693032] [<ffffffff810fd3e4>] ? lockdep_init_map+0x64/0x710 +[ 145.693453] [<ffffffff81272918>] mount_fs+0x38/0x170 +[ 145.693793] [<ffffffff81292b7b>] vfs_kern_mount+0x6b/0x150 +[ 145.694168] [<ffffffff812958c6>] do_mount+0x256/0xeb0 +[ 145.694537] [<ffffffff8124bb33>] ? __kmalloc_track_caller+0x113/0x290 +[ 145.694974] [<ffffffff812b0b63>] ? block_ioctl+0x43/0x50 +[ 145.695338] [<ffffffff811ff023>] ? memdup_user+0x53/0x80 +[ 145.695703] [<ffffffff81296865>] SyS_mount+0x95/0xe0 +[ 145.696046] [<ffffffff819cfd3c>] entry_SYSCALL_64_fastpath+0x1f/0xbd +[ 145.696480] Code: 1f 48 8b 78 58 31 c0 48 8b 14 c7 48 39 d1 72 08 4c 01 c2 48 39 d1 72 15 48 83 c0 01 39 c6 7f e7 41 c7 87 3c 01 00 00 ff ff ff ff <0f> 0b 45 85 f6 41 89 87 3c 01 00 00 75 35 4c 89 e7 e8 e6 02 fb +[ 145.698326] RIP [<ffffffff814c5794>] raid56_parity_recover+0xc4/0x160 +[ 145.698771] RSP <ffff88006fc77868> +[ 145.699047] ---[ end trace 22f39f01df276367 ]--- + +----------------------------------------------------- +Fixed by patch: + diff --git a/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.xz b/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.xz Binary files differnew file mode 100644 index 00000000..ef971ca3 --- /dev/null +++ b/tests/fuzz-tests/images/sys-chunk-type-bogus.raw.xz |