Size overflow in do_readpage fs/btrfs/extent_io.c:2969

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Size overflow in do_readpage fs/btrfs/extent_io.c:2969

Postby jotik » Fri Oct 07, 2016 7:27 pm

With Gentoo's hardened-sources on an Raspberry Pi 2.

Code: Select all
[ 1088.114360] PAX: size overflow detected in function __do_readpage fs/btrfs/extent_io.c:2969 cicus.1132_525 max, count: 187, decl: submit_extent_page; num: 6; context: fndecl;
[ 1088.123185] CPU: 2 PID: 1617 Comm: patch Not tainted 4.7.3-hardened-v7 #1
[ 1088.123201] Hardware name: BCM2835
[ 1088.123215] Backtrace:
[ 1088.123261] [<8010d6d8>] (dump_backtrace+0x0/0x118) from [<8010d880>] (show_stack+0x18/0x1c)
[ 1088.123274]  r7:600d0013 r6:80b20254 r5:80b03788 r4:00000000
[ 1088.123318] [<8010d868>] (show_stack+0x0/0x1c) from [<80445ecc>] (dump_stack+0xac/0xe0)
[ 1088.123344] [<80445e20>] (dump_stack+0x0/0xe0) from [<80221364>] (report_size_overflow+0x80/0x90)
[ 1088.123355]  r7:8090b5b4 r6:00000b99 r5:8090ade4 r4:80999720
[ 1088.123394] [<802212e4>] (report_size_overflow+0x0/0x90) from [<8036caf0>] (__do_readpage+0xe6c/0xf0c)
[ 1088.123405]  r8:910c7078 r7:00000000 r6:00000000 r5:ffffffff r4:ffffffff
[ 1088.123448] [<8036bc84>] (__do_readpage+0x0/0xf0c) from [<8036d078>] (__extent_readpages.constprop.15+0x3a4/0x3f8)
[ 1088.123459]  r10:9e65e970 r9:bb757ce8 r8:bb757ce0 r7:bb757cdc r6:00000000 r5:bb757cf4
[ 1088.123492]  r4:00000000
[ 1088.123515] [<8036ccd4>] (__extent_readpages.constprop.15+0x0/0x3f8) from [<8036dd04>] (extent_readpages+0x1e0/0x1ec)
[ 1088.123526]  r10:00000001 r9:9e65eb40 r8:bb757d94 r7:00000001 r6:00000001 r5:bdd59694
[ 1088.123559]  r4:bdd596a8
[ 1088.123586] [<8036db24>] (extent_readpages+0x0/0x1ec) from [<8034510c>] (btrfs_readpages+0x28/0x30)
[ 1088.123597]  r10:bdd59694 r9:9e65eb40 r8:00000000 r7:00000001 r6:803450e4 r5:00000001
[ 1088.123630]  r4:00000001
[ 1088.123660] [<803450e4>] (btrfs_readpages+0x0/0x30) from [<801cb76c>] (__do_page_cache_readahead+0x174/0x288)
[ 1088.123684] [<801cb5f8>] (__do_page_cache_readahead+0x0/0x288) from [<801cb990>] (ondemand_readahead+0x110/0x288)
[ 1088.123695]  r10:bd39da80 r9:9e65eb40 r8:00000400 r7:00000000 r6:9e65eb40 r5:00000000
[ 1088.123729]  r4:bd39dac0
[ 1088.123754] [<801cb880>] (ondemand_readahead+0x0/0x288) from [<801cbc6c>] (page_cache_sync_readahead+0x54/0x74)
[ 1088.123765]  r10:9e65eaa0 r9:bd39da80 r8:00000000 r7:00000000 r6:9e65eb40 r5:00000001
[ 1088.123797]  r4:00000000
[ 1088.123826] [<801cbc18>] (page_cache_sync_readahead+0x0/0x74) from [<801be600>] (generic_file_read_iter+0x7d4/0xb10)
[ 1088.123853] [<801bde2c>] (generic_file_read_iter+0x0/0xb10) from [<802176fc>] (__vfs_read+0xe0/0x130)
[ 1088.123864]  r10:00000e76 r9:0bcb40d8 r8:bb757f68 r7:00000000 r6:00000000 r5:bd39da80
[ 1088.123897]  r4:80b03788
[ 1088.123921] [<8021761c>] (__vfs_read+0x0/0x130) from [<802177dc>] (vfs_read+0x90/0x170)
[ 1088.123932]  r9:0bcb40d8 r8:bd39da80 r7:bb757f68 r6:0bcb40d8 r5:bd39da80 r4:00000e76
[ 1088.123979] [<8021774c>] (vfs_read+0x0/0x170) from [<80217d6c>] (sys_read+0x54/0xb4)
[ 1088.123989]  r9:0bcb40d8 r8:bd39da80 r7:00000000 r6:00000000 r5:bd39da80 r4:80b03788
[ 1088.124037] [<80217d18>] (sys_read+0x0/0xb4) from [<80108460>] (ret_fast_syscall+0x0/0x70)
[ 1088.124047]  r10:00000000 r9:bb756000 r8:801086c4 r7:00000003 r6:0b654cf8 r5:00000e76
[ 1088.124080]  r4:00000000
[ 1088.191703] PAX: size overflow detected in function __do_readpage fs/btrfs/extent_io.c:2969 cicus.1132_525 max, count: 187, decl: submit_extent_page; num: 6; context: fndecl;
[ 1088.200678] CPU: 1 PID: 1619 Comm: patch Not tainted 4.7.3-hardened-v7 #1
[ 1088.200692] Hardware name: BCM2835
[ 1088.200704] Backtrace:
[ 1088.200751] [<8010d6d8>] (dump_backtrace+0x0/0x118) from [<8010d880>] (show_stack+0x18/0x1c)
[ 1088.200763]  r7:60070013 r6:80b20254 r5:80b03788 r4:00000000
[ 1088.200807] [<8010d868>] (show_stack+0x0/0x1c) from [<80445ecc>] (dump_stack+0xac/0xe0)
[ 1088.200833] [<80445e20>] (dump_stack+0x0/0xe0) from [<80221364>] (report_size_overflow+0x80/0x90)
[ 1088.200844]  r7:8090b5b4 r6:00000b99 r5:8090ade4 r4:80999720
[ 1088.200884] [<802212e4>] (report_size_overflow+0x0/0x90) from [<8036caf0>] (__do_readpage+0xe6c/0xf0c)
[ 1088.200895]  r8:8ed4c9d8 r7:00000000 r6:00000000 r5:ffffffff r4:ffffffff
[ 1088.200937] [<8036bc84>] (__do_readpage+0x0/0xf0c) from [<8036d078>] (__extent_readpages.constprop.15+0x3a4/0x3f8)
[ 1088.200949]  r10:ac02f1b0 r9:ab71dce8 r8:ab71dce0 r7:ab71dcdc r6:00000000 r5:ab71dcf4
[ 1088.200982]  r4:00000000
[ 1088.201005] [<8036ccd4>] (__extent_readpages.constprop.15+0x0/0x3f8) from [<8036dd04>] (extent_readpages+0x1e0/0x1ec)
[ 1088.201015]  r10:00000001 r9:ac02f380 r8:ab71dd94 r7:00000001 r6:00000001 r5:bdf84340
[ 1088.201049]  r4:bdf84354
[ 1088.201074] [<8036db24>] (extent_readpages+0x0/0x1ec) from [<8034510c>] (btrfs_readpages+0x28/0x30)
[ 1088.201085]  r10:bdf84340 r9:ac02f380 r8:00000000 r7:00000001 r6:803450e4 r5:00000001
[ 1088.201118]  r4:00000001
[ 1088.201146] [<803450e4>] (btrfs_readpages+0x0/0x30) from [<801cb76c>] (__do_page_cache_readahead+0x174/0x288)
[ 1088.201169] [<801cb5f8>] (__do_page_cache_readahead+0x0/0x288) from [<801cb990>] (ondemand_readahead+0x110/0x288)
[ 1088.201180]  r10:bc946540 r9:ac02f380 r8:00000400 r7:00000000 r6:ac02f380 r5:00000000
[ 1088.201214]  r4:bc946580
[ 1088.201240] [<801cb880>] (ondemand_readahead+0x0/0x288) from [<801cbc6c>] (page_cache_sync_readahead+0x54/0x74)
[ 1088.201251]  r10:ac02f2e0 r9:bc946540 r8:00000000 r7:00000000 r6:ac02f380 r5:00000001
[ 1088.201284]  r4:00000000
[ 1088.201311] [<801cbc18>] (page_cache_sync_readahead+0x0/0x74) from [<801be600>] (generic_file_read_iter+0x7d4/0xb10)
[ 1088.201337] [<801bde2c>] (generic_file_read_iter+0x0/0xb10) from [<802176fc>] (__vfs_read+0xe0/0x130)
[ 1088.201348]  r10:000008d4 r9:04fdb438 r8:ab71df68 r7:00000000 r6:00000000 r5:bc946540
[ 1088.201381]  r4:80b03788
[ 1088.201405] [<8021761c>] (__vfs_read+0x0/0x130) from [<802177dc>] (vfs_read+0x90/0x170)
[ 1088.201416]  r9:04fdb438 r8:bc946540 r7:ab71df68 r6:04fdb438 r5:bc946540 r4:000008d4
[ 1088.201462] [<8021774c>] (vfs_read+0x0/0x170) from [<80217d6c>] (sys_read+0x54/0xb4)
[ 1088.201473]  r9:04fdb438 r8:bc946540 r7:00000000 r6:00000000 r5:bc946540 r4:80b03788
[ 1088.201521] [<80217d18>] (sys_read+0x0/0xb4) from [<80108460>] (ret_fast_syscall+0x0/0x70)
[ 1088.201532]  r10:00000000 r9:ab71c000 r8:801086c4 r7:00000003 r6:01fc7cf8 r5:000008d4
[ 1088.201565]  r4:00000000
[ 1088.259822] PAX: size overflow detected in function __do_readpage fs/btrfs/extent_io.c:2969 cicus.1132_525 max, count: 187, decl: submit_extent_page; num: 6; context: fndecl;
[ 1088.268712] CPU: 2 PID: 1622 Comm: patch Not tainted 4.7.3-hardened-v7 #1
[ 1088.268727] Hardware name: BCM2835
[ 1088.268740] Backtrace:
[ 1088.268786] [<8010d6d8>] (dump_backtrace+0x0/0x118) from [<8010d880>] (show_stack+0x18/0x1c)
[ 1088.268799]  r7:60070013 r6:80b20254 r5:80b03788 r4:00000000
[ 1088.268844] [<8010d868>] (show_stack+0x0/0x1c) from [<80445ecc>] (dump_stack+0xac/0xe0)
[ 1088.268870] [<80445e20>] (dump_stack+0x0/0xe0) from [<80221364>] (report_size_overflow+0x80/0x90)
[ 1088.268881]  r7:8090b5b4 r6:00000b99 r5:8090ade4 r4:80999720
[ 1088.268921] [<802212e4>] (report_size_overflow+0x0/0x90) from [<8036caf0>] (__do_readpage+0xe6c/0xf0c)
[ 1088.268932]  r8:910c7ac8 r7:00000000 r6:00000000 r5:ffffffff r4:ffffffff
[ 1088.268974] [<8036bc84>] (__do_readpage+0x0/0xf0c) from [<8036d078>] (__extent_readpages.constprop.15+0x3a4/0x3f8)
[ 1088.268986]  r10:a88cc870 r9:bb757ce8 r8:bb757ce0 r7:bb757cdc r6:00000000 r5:bb757cf4
[ 1088.269019]  r4:00000000
[ 1088.269042] [<8036ccd4>] (__extent_readpages.constprop.15+0x0/0x3f8) from [<8036dd04>] (extent_readpages+0x1e0/0x1ec)
[ 1088.269052]  r10:00000001 r9:a88cca40 r8:bb757d94 r7:00000001 r6:00000001 r5:bdcef5a8
[ 1088.269085]  r4:bdcef5bc
[ 1088.269113] [<8036db24>] (extent_readpages+0x0/0x1ec) from [<8034510c>] (btrfs_readpages+0x28/0x30)
[ 1088.269124]  r10:bdcef5a8 r9:a88cca40 r8:00000000 r7:00000001 r6:803450e4 r5:00000001
[ 1088.269156]  r4:00000001
[ 1088.269186] [<803450e4>] (btrfs_readpages+0x0/0x30) from [<801cb76c>] (__do_page_cache_readahead+0x174/0x288)
[ 1088.269210] [<801cb5f8>] (__do_page_cache_readahead+0x0/0x288) from [<801cb990>] (ondemand_readahead+0x110/0x288)
[ 1088.269221]  r10:9c8c7a80 r9:a88cca40 r8:00000400 r7:00000000 r6:a88cca40 r5:00000000
[ 1088.269254]  r4:9c8c7ac0
[ 1088.269279] [<801cb880>] (ondemand_readahead+0x0/0x288) from [<801cbc6c>] (page_cache_sync_readahead+0x54/0x74)
[ 1088.269290]  r10:a88cc9a0 r9:9c8c7a80 r8:00000000 r7:00000000 r6:a88cca40 r5:00000001
[ 1088.269323]  r4:00000000
[ 1088.269352] [<801cbc18>] (page_cache_sync_readahead+0x0/0x74) from [<801be600>] (generic_file_read_iter+0x7d4/0xb10)
[ 1088.269379] [<801bde2c>] (generic_file_read_iter+0x0/0xb10) from [<802176fc>] (__vfs_read+0xe0/0x130)
[ 1088.269390]  r10:000002d4 r9:047dcb28 r8:bb757f68 r7:00000000 r6:00000000 r5:9c8c7a80
[ 1088.269423]  r4:80b03788
[ 1088.269447] [<8021761c>] (__vfs_read+0x0/0x130) from [<802177dc>] (vfs_read+0x90/0x170)
[ 1088.269458]  r9:047dcb28 r8:9c8c7a80 r7:bb757f68 r6:047dcb28 r5:9c8c7a80 r4:000002d4
[ 1088.269504] [<8021774c>] (vfs_read+0x0/0x170) from [<80217d6c>] (sys_read+0x54/0xb4)
[ 1088.269515]  r9:047dcb28 r8:9c8c7a80 r7:00000000 r6:00000000 r5:9c8c7a80 r4:80b03788
[ 1088.269562] [<80217d18>] (sys_read+0x0/0xb4) from [<80108460>] (ret_fast_syscall+0x0/0x70)
[ 1088.269573]  r10:00000000 r9:bb756000 r8:801086c4 r7:00000003 r6:03beecf8 r5:000002d4
[ 1088.269606]  r4:00000000
[ 1088.851707] PAX: size overflow detected in function __do_readpage fs/btrfs/extent_io.c:2969 cicus.1132_525 max, count: 187, decl: submit_extent_page; num: 6; context: fndecl;
[ 1088.860584] CPU: 3 PID: 1624 Comm: patch Not tainted 4.7.3-hardened-v7 #1
[ 1088.860603] Hardware name: BCM2835
[ 1088.860616] Backtrace:
[ 1088.860663] [<8010d6d8>] (dump_backtrace+0x0/0x118) from [<8010d880>] (show_stack+0x18/0x1c)
[ 1088.860676]  r7:60070013 r6:80b20254 r5:80b03788 r4:00000000
[ 1088.860720] [<8010d868>] (show_stack+0x0/0x1c) from [<80445ecc>] (dump_stack+0xac/0xe0)
[ 1088.860746] [<80445e20>] (dump_stack+0x0/0xe0) from [<80221364>] (report_size_overflow+0x80/0x90)
[ 1088.860757]  r7:8090b5b4 r6:00000b99 r5:8090ade4 r4:80999720
[ 1088.860797] [<802212e4>] (report_size_overflow+0x0/0x90) from [<8036caf0>] (__do_readpage+0xe6c/0xf0c)
[ 1088.860808]  r8:8ff9a078 r7:00000000 r6:00000000 r5:ffffffff r4:ffffffff
[ 1088.860851] [<8036bc84>] (__do_readpage+0x0/0xf0c) from [<8036d078>] (__extent_readpages.constprop.15+0x3a4/0x3f8)
[ 1088.860862]  r10:b28ff470 r9:8c337ce8 r8:8c337ce0 r7:8c337cdc r6:00000000 r5:8c337cf4
[ 1088.860895]  r4:00000000
[ 1088.860918] [<8036ccd4>] (__extent_readpages.constprop.15+0x0/0x3f8) from [<8036dd04>] (extent_readpages+0x1e0/0x1ec)
[ 1088.860929]  r10:00000001 r9:b28ff640 r8:8c337d94 r7:00000001 r6:00000001 r5:bd906f70
[ 1088.860962]  r4:bd906f84
[ 1088.860988] [<8036db24>] (extent_readpages+0x0/0x1ec) from [<8034510c>] (btrfs_readpages+0x28/0x30)
[ 1088.860999]  r10:bd906f70 r9:b28ff640 r8:00000000 r7:00000001 r6:803450e4 r5:00000001
[ 1088.861032]  r4:00000001
[ 1088.861060] [<803450e4>] (btrfs_readpages+0x0/0x30) from [<801cb76c>] (__do_page_cache_readahead+0x174/0x288)
[ 1088.861084] [<801cb5f8>] (__do_page_cache_readahead+0x0/0x288) from [<801cb990>] (ondemand_readahead+0x110/0x288)
[ 1088.861095]  r10:9de47840 r9:b28ff640 r8:00000400 r7:00000000 r6:b28ff640 r5:00000000
[ 1088.861129]  r4:9de47880
[ 1088.861155] [<801cb880>] (ondemand_readahead+0x0/0x288) from [<801cbc6c>] (page_cache_sync_readahead+0x54/0x74)
[ 1088.861166]  r10:b28ff5a0 r9:9de47840 r8:00000000 r7:00000000 r6:b28ff640 r5:00000001
[ 1088.861199]  r4:00000000
[ 1088.861228] [<801cbc18>] (page_cache_sync_readahead+0x0/0x74) from [<801be600>] (generic_file_read_iter+0x7d4/0xb10)
[ 1088.861255] [<801bde2c>] (generic_file_read_iter+0x0/0xb10) from [<802176fc>] (__vfs_read+0xe0/0x130)
[ 1088.861268]  r10:00000450 r9:0af10688 r8:8c337f68 r7:00000000 r6:00000000 r5:9de47840
[ 1088.861302]  r4:80b03788
[ 1088.861327] [<8021761c>] (__vfs_read+0x0/0x130) from [<802177dc>] (vfs_read+0x90/0x170)
[ 1088.861338]  r9:0af10688 r8:9de47840 r7:8c337f68 r6:0af10688 r5:9de47840 r4:00000450
[ 1088.861390] [<8021774c>] (vfs_read+0x0/0x170) from [<80217d6c>] (sys_read+0x54/0xb4)
[ 1088.861401]  r9:0af10688 r8:9de47840 r7:00000000 r6:00000000 r5:9de47840 r4:80b03788
[ 1088.861450] [<80217d18>] (sys_read+0x0/0xb4) from [<80108460>] (ret_fast_syscall+0x0/0x70)
[ 1088.861461]  r10:00000000 r9:8c336000 r8:801086c4 r7:00000003 r6:085e3cf8 r5:00000450
[ 1088.861496]  r4:00000000
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am

Re: Size overflow in do_readpage fs/btrfs/extent_io.c:2969

Postby ephox » Sat Oct 08, 2016 8:36 am

Hi,
Could you please apply this patch and send me the results?
Code: Select all
--- fs/btrfs/extent_io.c.orig   2016-10-08 14:32:54.284212097 +0200
+++ fs/btrfs/extent_io.c        2016-10-08 14:34:21.830649082 +0200
@@ -2966,6 +2966,7 @@
                cur_end = min(extent_map_end(em) - 1, end);
                iosize = ALIGN(iosize, blocksize);
                if (this_bio_flag & EXTENT_BIO_COMPRESSED) {
+                       printk(KERN_ERR "PAX block_len: %llx\n", em->block_len);
                        disk_io_size = em->block_len;
                        sector = em->block_start >> 9;
                } else {
ephox
 
Posts: 134
Joined: Tue Mar 20, 2012 4:36 pm

Re: Size overflow in do_readpage fs/btrfs/extent_io.c:2969

Postby jotik » Sat Oct 08, 2016 11:46 am

I moved away from btrfs, and I don't know how to reproduce this, so think I'll have to skip debugging this issue. Embedded platforms are slow (Gentoo), and I don't have the resources to look into this at the moment. Sorry!
jotik
 
Posts: 22
Joined: Mon Oct 19, 2015 5:11 am

Re: Size overflow in do_readpage fs/btrfs/extent_io.c:2969

Postby PaX Team » Wed Oct 12, 2016 5:42 pm

i think this is another case where sometimes extent_map.block_len is set to (u64)-1 on purpose that probably isn't supposed to reach this code at all, so there has to be some higher level logical bug in btrfs. if anyone finds this report in the future, feel free to help us and the btrfs developers figure it out.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron