Re: [gentoo-hardened] btrfs size overflow bug since 4.2.6-hardened-r6 - gentoo-hardened

From:	"Tóth Attila" <atoth@××××××××××.hu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] btrfs size overflow bug since 4.2.6-hardened-r6
Date:	Thu, 03 Mar 2016 18:14:15
Message-Id:	`f2f9d310c88d1a58deca9a8960345941.squirrel@atoth.sote.hu`
In Reply to:	[gentoo-hardened] btrfs size overflow bug since 4.2.6-hardened-r6 by ingo.schmitt@binarysignals.net

1

I've experienced this bug, but I can no longer reproduce it using recent

2

kernels (4.3.5-hardened-r2 or 4.4.2-hardened).

3

4

BTW, this is the patch you are looking for:

5

diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c

6

index 6a98bdd..fed3da6 100644

7

--- a/fs/btrfs/extent_map.c

8

+++ b/fs/btrfs/extent_map.c

9

@@ -235,7 +235,9 @@ static void try_merge_map(struct extent_map_tree

10

*tree, struct extent_map *em)

11

                        em->start = merge->start;

12

                        em->orig_start = merge->orig_start;

13

                        em->len += merge->len;

14

-                       em->block_len += merge->block_len;

15

+                       if (em->block_start != EXTENT_MAP_HOLE &&

16

+                           em->block_start != EXTENT_MAP_INLINE)

17

+                               em->block_len += merge->block_len;

18

                        em->block_start = merge->block_start;

19

                        em->mod_len = (em->mod_len + em->mod_start) -

20

merge->mod_start;

21

                        em->mod_start = merge->mod_start;

22

@@ -252,7 +254,9 @@ static void try_merge_map(struct extent_map_tree

23

*tree, struct extent_map *em)

24

                merge = rb_entry(rb, struct extent_map, rb_node);

25

        if (rb && mergable_maps(em, merge)) {

26

                em->len += merge->len;

27

-               em->block_len += merge->block_len;

28

+               if (em->block_start != EXTENT_MAP_HOLE &&

29

+                   em->block_start != EXTENT_MAP_INLINE)

30

+                       em->block_len += merge->block_len;

31

                rb_erase(&merge->rb_node, &tree->map);

32

                RB_CLEAR_NODE(&merge->rb_node);

33

                em->mod_len = (merge->mod_start + merge->mod_len) -

34

em->mod_start;

35

36

This patch has been recently included - if I'm correct.

37

38

In the mean time: do not enable quota groups, because it causes an error

39

with hardened kernels.

40

https://forums.grsecurity.net/viewtopic.php?f=3&t=4392

41

42

BR: Dw.

43

--

44

dr Tóth Attila, Radiológus, 06-20-825-8057

45

Attila Toth MD, Radiologist, +36-20-825-8057

46

47

2016.Március 3.(Cs) 17:44 időpontban ingo.schmitt@×××××××××××××.net ezt írta:

48

> I'm still facing a bug with btrfs that

49

> occurs since 4.2.6-hardened-r6 till 4.4.2.

50

>

51

> An similar bug has been patched already

52

> https://patchwork.kernel.org/patch/7582351/

53

>

54

> Is someone able to reproduce this?

55

>

56

> Thx!

57

>

58

> my config:

59

>

60

> https://binarysignals.net/pub/linux-4.2.6-hardened-r5.config

61

> https://binarysignals.net/pub/emerge--info_e10.txt

62

>

63

> dmesg:

64

>

65

> Feb 20 17:21:22 e10 kernel: PAX: size overflow detected in function

66

> btrfs_extent_item_to_extent_map fs/btrfs/file-item.c:913 cicus.463_134

67

> min, count: 150, decl: orig_start; num: 0; context: extent_map;

68

> Feb 20 17:21:22 e10 kernel: CPU: 0 PID: 4709 Comm: evolution-addre Not

69

> tainted 4.4.2-hardened #1

70

> Feb 20 17:21:22 e10 kernel: Hardware name: Dell Inc. Latitude E4200

71

>              /0XRV1H, BIOS A24 06/04/2013

72

> Feb 20 17:21:22 e10 kernel:  ffff880100000002 c3eced83898a9252

73

> 0000000000000000 0000000000000391

74

> Feb 20 17:21:22 e10 kernel:  ffffc90005893630 ffffffffa26152bb

75

> ffffffffa9124d70 c3eced83898a9252

76

> Feb 20 17:21:22 e10 kernel:  ffffffffa9124d70 ffffc90005893660

77

> ffffffffa2241e6e ffff8800baa0d2f8

78

> Feb 20 17:21:22 e10 kernel: Call Trace:

79

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa26152bb>] dump_stack+0x57/0x8c

80

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa2241e6e>]

81

> report_size_overflow+0x6e/0x80

82

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24c2f68>]

83

> btrfs_extent_item_to_extent_map+0x458/0x490

84

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24d4a86>]

85

> btrfs_get_extent+0xbe6/0xdb0

86

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24f9291>] ?

87

> submit_extent_page+0x101/0x250

88

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24fa305>]

89

> __do_readpage+0x2b5/0xe50

90

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24fbcf0>] ?

91

> btrfs_create_repair_bio+0x1a0/0x1a0

92

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24d3ea0>] ?

93

> btrfs_direct_IO+0x530/0x530

94

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24fb3d0>]

95

> __extent_readpages.constprop.44+0x310/0x350

96

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24d3ea0>] ?

97

> btrfs_direct_IO+0x530/0x530

98

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24fd1e4>]

99

> extent_readpages+0x1e4/0x1f0

100

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24d3ea0>] ?

101

> btrfs_direct_IO+0x530/0x530

102

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa2212cd9>] ?

103

> alloc_pages_current+0x89/0x110

104

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa24d1df2>]

105

> btrfs_readpages+0x32/0x40

106

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa21d18b1>]

107

> __do_page_cache_readahead+0x1d1/0x250

108

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa21d1a11>]

109

> ondemand_readahead+0xe1/0x2e0

110

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa21d1dc6>]

111

> page_cache_sync_readahead+0x46/0x70

112

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa21c4e43>]

113

> generic_file_read_iter+0x633/0x7c0

114

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa223926b>] __vfs_read+0x10b/0x140

115

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa2239e83>] vfs_read+0xc3/0x240

116

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa225e8cd>] ?

117

> __fget_light+0x2d/0x70

118

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa223b453>] SyS_pread64+0xa3/0xc0

119

> Feb 20 17:21:22 e10 kernel:  [<ffffffffa2d4a999>]

120

> entry_SYSCALL_64_fastpath+0x12/0x83

121

> Feb 20 17:21:22 e10 kernel: ------------[ cut here ]------------

122

>

123

>

1	I've experienced this bug, but I can no longer reproduce it using recent
2	kernels (4.3.5-hardened-r2 or 4.4.2-hardened).
3
4	BTW, this is the patch you are looking for:
5	diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
6	index 6a98bdd..fed3da6 100644
7	--- a/fs/btrfs/extent_map.c
8	+++ b/fs/btrfs/extent_map.c
9	@@ -235,7 +235,9 @@ static void try_merge_map(struct extent_map_tree
10	tree, struct extent_map em)
11	em->start = merge->start;
12	em->orig_start = merge->orig_start;
13	em->len += merge->len;
14	- em->block_len += merge->block_len;
15	+ if (em->block_start != EXTENT_MAP_HOLE &&
16	+ em->block_start != EXTENT_MAP_INLINE)
17	+ em->block_len += merge->block_len;
18	em->block_start = merge->block_start;
19	em->mod_len = (em->mod_len + em->mod_start) -
20	merge->mod_start;
21	em->mod_start = merge->mod_start;
22	@@ -252,7 +254,9 @@ static void try_merge_map(struct extent_map_tree
23	tree, struct extent_map em)
24	merge = rb_entry(rb, struct extent_map, rb_node);
25	if (rb && mergable_maps(em, merge)) {
26	em->len += merge->len;
27	- em->block_len += merge->block_len;
28	+ if (em->block_start != EXTENT_MAP_HOLE &&
29	+ em->block_start != EXTENT_MAP_INLINE)
30	+ em->block_len += merge->block_len;
31	rb_erase(&merge->rb_node, &tree->map);
32	RB_CLEAR_NODE(&merge->rb_node);
33	em->mod_len = (merge->mod_start + merge->mod_len) -
34	em->mod_start;
35
36	This patch has been recently included - if I'm correct.
37
38	In the mean time: do not enable quota groups, because it causes an error
39	with hardened kernels.
40	https://forums.grsecurity.net/viewtopic.php?f=3&t=4392
41
42	BR: Dw.
43	--
44	dr Tóth Attila, Radiológus, 06-20-825-8057
45	Attila Toth MD, Radiologist, +36-20-825-8057
46
47	2016.Március 3.(Cs) 17:44 időpontban ingo.schmitt@×××××××××××××.net ezt írta:
48	> I'm still facing a bug with btrfs that
49	> occurs since 4.2.6-hardened-r6 till 4.4.2.
50	>
51	> An similar bug has been patched already
52	> https://patchwork.kernel.org/patch/7582351/
53	>
54	> Is someone able to reproduce this?
55	>
56	> Thx!
57	>
58	> my config:
59	>
60	> https://binarysignals.net/pub/linux-4.2.6-hardened-r5.config
61	> https://binarysignals.net/pub/emerge--info_e10.txt
62	>
63	> dmesg:
64	>
65	> Feb 20 17:21:22 e10 kernel: PAX: size overflow detected in function
66	> btrfs_extent_item_to_extent_map fs/btrfs/file-item.c:913 cicus.463_134
67	> min, count: 150, decl: orig_start; num: 0; context: extent_map;
68	> Feb 20 17:21:22 e10 kernel: CPU: 0 PID: 4709 Comm: evolution-addre Not
69	> tainted 4.4.2-hardened #1
70	> Feb 20 17:21:22 e10 kernel: Hardware name: Dell Inc. Latitude E4200
71	> /0XRV1H, BIOS A24 06/04/2013
72	> Feb 20 17:21:22 e10 kernel: ffff880100000002 c3eced83898a9252
73	> 0000000000000000 0000000000000391
74	> Feb 20 17:21:22 e10 kernel: ffffc90005893630 ffffffffa26152bb
75	> ffffffffa9124d70 c3eced83898a9252
76	> Feb 20 17:21:22 e10 kernel: ffffffffa9124d70 ffffc90005893660
77	> ffffffffa2241e6e ffff8800baa0d2f8
78	> Feb 20 17:21:22 e10 kernel: Call Trace:
79	> Feb 20 17:21:22 e10 kernel: [<ffffffffa26152bb>] dump_stack+0x57/0x8c
80	> Feb 20 17:21:22 e10 kernel: [<ffffffffa2241e6e>]
81	> report_size_overflow+0x6e/0x80
82	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24c2f68>]
83	> btrfs_extent_item_to_extent_map+0x458/0x490
84	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24d4a86>]
85	> btrfs_get_extent+0xbe6/0xdb0
86	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24f9291>] ?
87	> submit_extent_page+0x101/0x250
88	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24fa305>]
89	> __do_readpage+0x2b5/0xe50
90	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24fbcf0>] ?
91	> btrfs_create_repair_bio+0x1a0/0x1a0
92	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24d3ea0>] ?
93	> btrfs_direct_IO+0x530/0x530
94	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24fb3d0>]
95	> __extent_readpages.constprop.44+0x310/0x350
96	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24d3ea0>] ?
97	> btrfs_direct_IO+0x530/0x530
98	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24fd1e4>]
99	> extent_readpages+0x1e4/0x1f0
100	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24d3ea0>] ?
101	> btrfs_direct_IO+0x530/0x530
102	> Feb 20 17:21:22 e10 kernel: [<ffffffffa2212cd9>] ?
103	> alloc_pages_current+0x89/0x110
104	> Feb 20 17:21:22 e10 kernel: [<ffffffffa24d1df2>]
105	> btrfs_readpages+0x32/0x40
106	> Feb 20 17:21:22 e10 kernel: [<ffffffffa21d18b1>]
107	> __do_page_cache_readahead+0x1d1/0x250
108	> Feb 20 17:21:22 e10 kernel: [<ffffffffa21d1a11>]
109	> ondemand_readahead+0xe1/0x2e0
110	> Feb 20 17:21:22 e10 kernel: [<ffffffffa21d1dc6>]
111	> page_cache_sync_readahead+0x46/0x70
112	> Feb 20 17:21:22 e10 kernel: [<ffffffffa21c4e43>]
113	> generic_file_read_iter+0x633/0x7c0
114	> Feb 20 17:21:22 e10 kernel: [<ffffffffa223926b>] __vfs_read+0x10b/0x140
115	> Feb 20 17:21:22 e10 kernel: [<ffffffffa2239e83>] vfs_read+0xc3/0x240
116	> Feb 20 17:21:22 e10 kernel: [<ffffffffa225e8cd>] ?
117	> __fget_light+0x2d/0x70
118	> Feb 20 17:21:22 e10 kernel: [<ffffffffa223b453>] SyS_pread64+0xa3/0xc0
119	> Feb 20 17:21:22 e10 kernel: [<ffffffffa2d4a999>]
120	> entry_SYSCALL_64_fastpath+0x12/0x83
121	> Feb 20 17:21:22 e10 kernel: ------------[ cut here ]------------
122	>
123	>

Gentoo Archives: gentoo-hardened