Date: Sat, 09 Jan 2016 05:16:32 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-fs@FreeBSD.org Subject: [Bug 206056] [ext2fs][patch][panic] EXT4: mount panic from freeing invalid pointers Message-ID: <bug-206056-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206056 Bug ID: 206056 Summary: [ext2fs][patch][panic] EXT4: mount panic from freeing invalid pointers Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: damjan.jov@gmail.com CC: freebsd-fs@FreeBSD.org Keywords: patch Created attachment 165290 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D165290&action= =3Dedit Preventing a panic when pointers from struct ext2mount's um_e2fs are freed On Linux I made a 500MB EXT4 filesystem for testing, and when I tried to mo= unt it in FreeBSD with: mdconfig -a /path/to/filesystem mount -t ext2fs -o ro /dev/md0 /path/to/mountpoint the following error got printed out, followed immediately by a panic: ext2fs: no space for extra inode timestamps Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apicid =3D 00 fault_virtual_address =3D 0x4 fault code =3D supervisor read, page not present instruction pointer =3D 0x20:0xc0b1f1cc stack pointer =3D 0x28:0xcebee898 frame pointer =3D 0x28:0xcebee8c0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, def32 1, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 777 (mount) [ thread pid 777 tid 100065 ] Stopped at free+0x5c: movl 0x4(%eax),%eax db> bt Tracing pid 777 tid 100065 td 0xc4e0c620 free(aa,c54ab298,2a3,2a1,0,...) at free+0x5c/frame 0xcebee8c0 ext2_mount(c4e16a80,c54ab208,c5374380,c4e10800,c4c40a70,...) at ext2_mount+0x1604/frame 0xceebe9e8 vfs_donmount(c4e4c620,1,0,c4c11b00,c4c11b00,...) at vfs_donmount+0xdc6/frame 0xceebebf0 sys_nmount(c4e0c620,ceebeca8,c506890c,c4e0c620,c506890c,...) at sys_nmount+0x78/frame 0xceebec18 syscall(ceebece8) at syscall+0x4a6/frame 0xceebecdc Xint0x80_syscall() at Xint0x80_syscall+0x21/frame 0xceebecdc --- syscall (378, FreeBSD ELF32, sys_nmount), eip =3D 0x280e013b, esp =3D 0xbfbfdd20, ebp =3D 0xbfbfe278 The "ext2fs: no space for extra inode timestamps" message comes from compute_sb_data() in ext2_vfsops.c, which returns EINVAL after printing it, never reaching the subsequent lines that initialize fs->e2fs_gd and fs->e2fs_contigdirs. When ext2_mountfs() calls compute_sb_data(), it does a "goto out" on error, and in "out" it attempts to free() those 2 fields. Sin= ce the memory for the struct those fields are in wasn't initialized when it was allocated, free() is being passed invalid pointers, resulting in a panic. The attached patch initializes the struct with those fields to zeroes on allocation, preventing the panic. I'll investigate the original error that caused this buggy error path to be taken in a separate issue. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206056-3630>