1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
URL: https://bugzilla.kernel.org/show_bug.cgi?id=156741
Lukas Lueg 2016-09-13 19:56:16 UTC
More news from the fuzzer. The attached image causes btrfsck to
buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN
(doesn't crash without).
==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978
READ of size 1 at 0x621000017980 thread T0
#0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1
#1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10
#2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8
#3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8
#4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
#6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
cat crashing_images/id:000073,sig:11,src:000504+000275,op:splice,rep:4.log
parent transid verify failed on 1122304 wanted 3472328296227680304 found 1
parent transid verify failed on 1122304 wanted 3472328296227680304 found 1
Ignoring transid failure
Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
ref mismatch on [131072 4096] extent item 0, found 1
Backref 131072 parent 3 root 3 not found in extent tree
backpointer mismatch on [131072 4096]
ref mismatch on [1118208 4096] extent item 1, found 0
Backref 1118208 root 1 not referenced back 0x60300000ee00
Incorrect global backref count on 1118208 found 1 wanted 0
backpointer mismatch on [1118208 4096]
owner ref check failed [1118208 4096]
ref mismatch on [1126400 4096] extent item 1, found 0
Backref 1126400 root 3 not referenced back 0x60300000edd0
Incorrect global backref count on 1126400 found 1 wanted 0
backpointer mismatch on [1126400 4096]
owner ref check failed [1126400 4096]
ref mismatch on [1130496 4096] extent item 1, found 0
Backref 1130496 root 4 not referenced back 0x60300000eda0
Incorrect global backref count on 1130496 found 1 wanted 0
backpointer mismatch on [1130496 4096]
owner ref check failed [1130496 4096]
ref mismatch on [1134592 4096] extent item 1, found 0
Backref 1134592 root 5 not referenced back 0x60300000ed70
Incorrect global backref count on 1134592 found 1 wanted 0
backpointer mismatch on [1134592 4096]
owner ref check failed [1134592 4096]
ref mismatch on [1138688 4096] extent item 1, found 0
Backref 1138688 root 7 not referenced back 0x60300000ed40
Incorrect global backref count on 1138688 found 1 wanted 0
backpointer mismatch on [1138688 4096]
owner ref check failed [1138688 4096]
ref mismatch on [4194304 4096] extent item 0, found 1
Backref 4194304 parent 5 root 5 not found in extent tree
backpointer mismatch on [4194304 4096]
ref mismatch on [4198400 4096] extent item 0, found 1
Backref 4198400 parent 1 root 1 not found in extent tree
backpointer mismatch on [4198400 4096]
ref mismatch on [4227072 4096] extent item 0, found 1
Backref 4227072 parent 4 root 4 not found in extent tree
backpointer mismatch on [4227072 4096]
ref mismatch on [4231168 4096] extent item 0, found 1
Backref 4231168 parent 7 root 7 not found in extent tree
backpointer mismatch on [4231168 4096]
ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
Backref 3472328296227680304 root 1 owner 6 offset 0 num_refs 0 not found in extent tree
Incorrect local backref count on 3472328296227680304 root 1 owner 6 offset 0 found 1 wanted 0 back 0x60700000dca0
backpointer mismatch on [3472328296227680304 3472328296227680304]
=================================================================
==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978
READ of size 1 at 0x621000017980 thread T0
#0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1
#1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10
#2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8
#3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8
#4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
#6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980)
allocated by thread T0 here:
#0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0)
#1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7
#2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8
#3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9
#4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7
#5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
#6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15
#7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8
#8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8
#9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8
#10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9
#11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9
#12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
#13 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 in btrfs_extent_inline_ref_type
Shadow bytes around the buggy address:
0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23161==ABORTING
|
