From: rtm@csail.mit.edu
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev
Subject: buffer overrun in fs/ntfs3 log_replay() if log restart area is corrupt
Date: Fri, 19 Jan 2024 09:27:22 -0500 [thread overview]
Message-ID: <25861.1705674442@localhost> (raw)
[-- Attachment #1: Type: text/plain, Size: 7561 bytes --]
The attached NTFS image has a corrupt log, one of whose restart areas
results in ra2->client_off being 24 rather than the expected 64. As a
result, this memcpy() in log_replay() writes off the end of the space
allocated for ra:
memcpy(ra->clients, Add2Ptr(ra2, t16),
le16_to_cpu(ra2->ra_len) - t16);
The space allocated for ra is log->restart_size=200; t16 is 24 (not 64,
the offset of ra->clients[]); ra2->ra_len is 200; so 200-24=176 bytes
are copied to &ra->clients=ra+64, even though there are only 200-64=136
bytes there.
# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #4 SMP PREEMPT_DYNAMIC Thu Jan 18 11:25:51 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip ntfs29a.img.gz
# mount -t ntfs3 -o loop,rw ntfs29a.img /mnt
ntfs3: loop0: $LogFile version 2.-1 is not supported
=============================================================================
BUG kmalloc-256 (Not tainted): kmalloc Redzone overwritten
-----------------------------------------------------------------------------
0xffff92c944c544c8-0xffff92c944c544ef @offset=1224. First byte 0xff instead of 0xcc
Allocated in log_replay+0xa81/0x4100 age=0 cpu=9 pid=13117
log_replay+0xa81/0x4100
ntfs_loadlog_and_replay+0x196/0x1c0
ntfs_fill_super+0xb09/0x17a0
get_tree_bdev+0x12f/0x1c0
vfs_get_tree+0x24/0xe0
path_mount+0x2df/0xab0
__x64_sys_mount+0x106/0x140
do_syscall_64+0x56/0x120
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed in kvfree_rcu_bulk+0x18e/0x200 age=3625 cpu=4 pid=192
kvfree_rcu_bulk+0x18e/0x200
kfree_rcu_monitor+0x138/0x450
process_one_work+0x134/0x2f0
worker_thread+0x2ef/0x400
kthread+0xe1/0x110
ret_from_fork+0x2f/0x50
ret_from_fork_asm+0x1b/0x30
Slab 0xffffe9cac4131500 objects=21 used=18 fp=0xffff92c944c56800 flags=0x200000000000a40(workingset|slab|head|node=0|zone=2)
Object 0xffff92c944c54400 @offset=1024 fp=0xffff92c944c56800
Redzone ffff92c944c54300: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54310: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54320: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54330: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54340: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54350: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54360: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54370: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54380: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54390: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543a0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543b0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543c0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543d0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543e0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c543f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Object ffff92c944c54400: ff ff ff ff ff ff ff ff 01 00 ff ff 00 00 ff ff ................
Object ffff92c944c54410: f1 ff ff ff a0 00 40 00 00 00 04 00 00 00 00 00 ......@.........
Object ffff92c944c54420: ff ff ff ff f8 ff f8 ff a4 2d d8 56 ff ff ff ff .........-.V....
Object ffff92c944c54430: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c54440: 00 00 04 00 00 00 00 00 ff ff ff ff f8 ff f8 ff ................
Object ffff92c944c54450: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c54460: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c54470: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c54480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c54490: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
Object ffff92c944c544f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
Redzone ffff92c944c54500: cc cc cc cc cc cc cc cc ........
Padding ffff92c944c54554: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c54564: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c54574: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c54584: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c54594: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545a4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545b4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545c4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding ffff92c944c545f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
CPU: 9 PID: 13117 Comm: mount Not tainted 6.7.0-11091-g296455ade1fd #4
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 13.0 11/10/2020
Call Trace:
<TASK>
dump_stack_lvl+0x37/0x50
check_bytes_and_report+0xd8/0x150
check_object+0x329/0x340
free_to_partial_list+0x1d1/0x520
? log_replay+0x1af/0x4100
log_replay+0x1af/0x4100
? inode_init_once+0xf0/0x100
ntfs_loadlog_and_replay+0x196/0x1c0
ntfs_fill_super+0xb09/0x17a0
? __pfx_ntfs_fill_super+0x10/0x10
get_tree_bdev+0x12f/0x1c0
vfs_get_tree+0x24/0xe0
path_mount+0x2df/0xab0
__x64_sys_mount+0x106/0x140
do_syscall_64+0x56/0x120
entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe8c95e6b0e
Code: 48 8b 0d 25 23 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f2 22 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcd2662a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8c95e6b0e
RDX: 000055c57d935370 RSI: 000055c57d935980 RDI: 000055c57d93acc0
RBP: 000055c57d935750 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055c57d935370 R14: 000055c57d93acc0 R15: 000055c57d935750
</TASK>
Disabling lock debugging due to kernel taint
FIX kmalloc-256: Restoring kmalloc Redzone 0xffff92c944c544c8-0xffff92c944c544ef=0xcc
FIX kmalloc-256: Object at 0xffff92c944c54400 not freed
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: failed to replay log file. Can't mount rw!
Robert Morris
rtm@csail.mit.edu
[-- Attachment #2: ntfs29a.img.gz --]
[-- Type: application/octet-stream, Size: 124416 bytes --]
reply other threads:[~2024-01-19 14:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25861.1705674442@localhost \
--to=rtm@csail.mit.edu \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).