Hi,
let me draw your attention to
https://bugzilla.kernel.org/show_bug.cgi?id=153641 which is a
heap-use-after-free bug in btrfs-progs v4.7-42-g56e9586 I found while
fuzzing btrfs.
There are more bugs like this. How do you people want them to be reported?
Best regards
Lukas
--
To unsubscribe fro
Hi,
let me draw your attention to
https://bugzilla.kernel.org/show_bug.cgi?id=154021 which is a
reproducible segv in btrfs-progs v4.7-42-g56e9586 I found while
fuzzing btrfs.
Best regards
Lukas
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to m
Hi,
I've now spent around 160 hours of fuzzing BTRFS, here are the crashes
I found so far. Every type of crash is reported only once although
there are usually multiple locations where they show up (especially
heap-use-after-free and calls to abort()).
The following bug reports have attached to t
e helpful.
>
> At 08/29/2016 02:06 PM, Lukas Lueg wrote:
>>
>> Hi,
>>
>> I've now spent around 160 hours of fuzzing BTRFS, here are the crashes
>> I found so far. Every type of crash is reported only once although
>> there are usually multiple locations w
orts.
>
> On Mon, Aug 29, 2016 at 08:06:24AM +0200, Lukas Lueg wrote:
>> I've now spent around 160 hours of fuzzing BTRFS, here are the crashes
>> I found so far. Every type of crash is reported only once although
>> there are usually multiple locations where they show up
>> And special notes for the BUG_ON fix:
>> The fix just fixes a small corner, while tons of BUG_ON()/abort() are
>> still here and there.
>> We need quite a lot of boring work to handle them later.
>
> Yeah yeah, that's been neglected for a very long time. The kernel has
> the abort_transaction in
Hi,
I'm currently fuzzing rev 2076992 and things start to slowly, slowly
quiet down. We will probably run out of steam at the end of the week
when a total of (roughly) half a billion BTRFS-images have passed by.
I will switch revisions to current HEAD and restart the whole process
then. A few thin
bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&component=btrfs&email1=lukas.lueg%40gmail.com&emailreporter1=1&emailtype1=exact&list_id=858441&query_format=advanced
2016-09-09 16:00 GMT+02:00 David Sterba :
> On Tue, Sep 06, 2016 at 10:32:28PM +0200, L
f yet uncovered code.
DigitalOcean has provided some funding for this undertaking so we are
good on CPU power. Kudos to them.
2016-09-13 22:28 GMT+02:00 Lukas Lueg :
> I've booted another instance with btrfs-progs checked out to 2b7c507
> and collected some bugs which remained from the run be
Hi David,
do we have any chance of engagement on those 23 bugs which came out of
the last fuzzing round? The nodes have been basically idle for a week,
spewing duplicates and variants of what's already known...
Best regards
Lukas
2016-09-20 13:33 GMT+02:00 Lukas Lueg :
> There are now
Hi,
I've now shut down all fuzzer nodes since they only cost money and
there is no progress on most of the aforementioned bugs.
Best regards
Lukas
-- Forwarded message --
From: Lukas Lueg
Date: 2016-09-26 11:39 GMT+02:00
Subject: Re: State of the fuzzer
To: linux-
See also https://bugzilla.kernel.org/show_bug.cgi?id=96971
I've identified some problems in the btrfs code and attached a
btrfs-image which causes the userland tools to crash and the kernel to
immediately freeze once the filesystem get's mounted and one of the
files is accessed. Putting the image
See also https://bugzilla.kernel.org/show_bug.cgi?id=97021
The btrfs-image attached to this bug causes the userland tools v3.19.1
to crash by reaching a call to abort().
(gdb) run check btrfs_fukked_abort_cmds-check:5919.bin
Starting program: /usr/sbin/btrfs check btrfs_fukked_abort_cmds-check:59
See also https://bugzilla.kernel.org/show_bug.cgi?id=97031
The btrfs-image attached to this bug causes the userland tools v3.19.1
to crash with a SIGFPE. The problem is that map->stripe_len in
__btrfs_map_block() is allowed to be 0 before entering a division.
The userland tool crashes.
The kernel
See also https://bugzilla.kernel.org/show_bug.cgi?id=97041
The btrfs-image attached to this bug causes the userland tools v3.19.1
to crash with a SIGFPE. The problem is that map->sub_stripes in
__btrfs_map_block() is allowed to be 0 before entering a division.
The userland tool crashes. The kerne
00 GMT+02:00 Qu Wenruo :
> Although only RAID10 use sub_stripes, a hostile attack can modify chunk
> tree and just add RAID10 bit to a single chunk.
> Then btrfs_map_block will trigger a 0 division in kernel and destroy
> everything.
>
> Just add extra check when reading chunk from
See also https://bugzilla.kernel.org/show_bug.cgi?id=97171
Running btrfs-progs v3.19.1
The btrfs-image attached to this bug causes the btrfs-userland tool to
use uninitialized memory and ultimately overwrite what seems to be
arbitrary memory locations, dying in the process. Reproduced on x86-64
a
See also https://bugzilla.kernel.org/show_bug.cgi?id=97191
Running btrfs-progs v3.19.1
The btrfs-image attached to this bug causes the btrfs-userland tool to
overflow some data structures, leading to unallocated memory being
written to and read from. A segfault results shortly after. Reproduced
o
See also https://bugzilla.kernel.org/show_bug.cgi?id=97271
The attached btrfs-image causes "btrfs check" to write outside of
allocated memory locations and ultimately die due to a segfault. An
adjacent heap block's control structure is overwritten with a `struct
extent_buffer *`, which is not cont
19 matches
Mail list logo