diff --git a/tests/fuzz-tests/images/bko-156731.raw.txt b/tests/fuzz-tests/images/bko-156731.raw.txt new file mode 100644 index 00000000..aea35f1f --- /dev/null +++ b/tests/fuzz-tests/images/bko-156731.raw.txt @@ -0,0 +1,83 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=156731 +Lukas Lueg 2016-09-13 19:53:59 UTC + +More news from the fuzzer. The attached image causes btrfsck to +buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN +(doesn't crash without) + +==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8 +READ of size 4 at 0x621000017980 thread T0 + #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 + #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6 + #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +cat crashing_images/id:000047,sig:11,src:000343+000051,op:splice,rep:4.log +================================================================= +==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8 +READ of size 4 at 0x621000017980 thread T0 + #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 + #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6 + #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980) +allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8 + #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 in btrfs_extent_data_ref_count +Shadow bytes around the buggy address: + 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==17647==ABORTING diff --git a/tests/fuzz-tests/images/bko-156731.raw.xz b/tests/fuzz-tests/images/bko-156731.raw.xz new file mode 100644 index 00000000..74a5c2a9 Binary files /dev/null and b/tests/fuzz-tests/images/bko-156731.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-156741.raw.txt b/tests/fuzz-tests/images/bko-156741.raw.txt new file mode 100644 index 00000000..ca52677a --- /dev/null +++ b/tests/fuzz-tests/images/bko-156741.raw.txt @@ -0,0 +1,131 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=156741 +Lukas Lueg 2016-09-13 19:56:16 UTC + +More news from the fuzzer. The attached image causes btrfsck to +buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN +(doesn't crash without). + +==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978 +READ of size 1 at 0x621000017980 thread T0 + #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 + #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10 + #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8 + #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8 + #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +cat crashing_images/id:000073,sig:11,src:000504+000275,op:splice,rep:4.log +parent transid verify failed on 1122304 wanted 3472328296227680304 found 1 +parent transid verify failed on 1122304 wanted 3472328296227680304 found 1 +Ignoring transid failure +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [1118208 4096] extent item 1, found 0 +Backref 1118208 root 1 not referenced back 0x60300000ee00 +Incorrect global backref count on 1118208 found 1 wanted 0 +backpointer mismatch on [1118208 4096] +owner ref check failed [1118208 4096] +ref mismatch on [1126400 4096] extent item 1, found 0 +Backref 1126400 root 3 not referenced back 0x60300000edd0 +Incorrect global backref count on 1126400 found 1 wanted 0 +backpointer mismatch on [1126400 4096] +owner ref check failed [1126400 4096] +ref mismatch on [1130496 4096] extent item 1, found 0 +Backref 1130496 root 4 not referenced back 0x60300000eda0 +Incorrect global backref count on 1130496 found 1 wanted 0 +backpointer mismatch on [1130496 4096] +owner ref check failed [1130496 4096] +ref mismatch on [1134592 4096] extent item 1, found 0 +Backref 1134592 root 5 not referenced back 0x60300000ed70 +Incorrect global backref count on 1134592 found 1 wanted 0 +backpointer mismatch on [1134592 4096] +owner ref check failed [1134592 4096] +ref mismatch on [1138688 4096] extent item 1, found 0 +Backref 1138688 root 7 not referenced back 0x60300000ed40 +Incorrect global backref count on 1138688 found 1 wanted 0 +backpointer mismatch on [1138688 4096] +owner ref check failed [1138688 4096] +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4227072 4096] extent item 0, found 1 +Backref 4227072 parent 4 root 4 not found in extent tree +backpointer mismatch on [4227072 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 6 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 6 offset 0 found 1 wanted 0 back 0x60700000dca0 +backpointer mismatch on [3472328296227680304 3472328296227680304] +================================================================= +==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978 +READ of size 1 at 0x621000017980 thread T0 + #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 + #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10 + #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8 + #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8 + #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980) +allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8 + #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 in btrfs_extent_inline_ref_type +Shadow bytes around the buggy address: + 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==23161==ABORTING diff --git a/tests/fuzz-tests/images/bko-156741.raw.xz b/tests/fuzz-tests/images/bko-156741.raw.xz new file mode 100644 index 00000000..af4de268 Binary files /dev/null and b/tests/fuzz-tests/images/bko-156741.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-161811.raw.txt b/tests/fuzz-tests/images/bko-161811.raw.txt new file mode 100644 index 00000000..93374e98 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161811.raw.txt @@ -0,0 +1,81 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=161811 +Lukas Lueg 2016-09-16 20:03:35 UTC + +More news from the fuzzer. The attached image causes a global-buffer-overflow +in btrfsck; using btrfs-progs v4.7-42-g56e9586. You need to compile with ASAN +in order to reproduce. + +The juicy parts: + +==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978 +READ of size 1 at 0x00000064726f thread T0 + #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 + #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13 + #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2 + #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3 + #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10 + #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10 + #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10 + #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +bad full backref, on [4198400] +checking free space cache +checking fs roots +================================================================= +==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978 +READ of size 1 at 0x00000064726f thread T0 + #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 + #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13 + #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2 + #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3 + #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10 + #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10 + #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10 + #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x00000064726f is located 49 bytes to the left of global variable '' defined in 'cmds-check.c:3051:2' (0x6472a0) of size 17 + '' is ascii string 'check_inode_recs' +0x00000064726f is located 0 bytes to the right of global variable 'btrfs_type_by_mode' defined in 'cmds-check.c:625:23' (0x647260) of size 15 +SUMMARY: AddressSanitizer: global-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 in imode_to_type +Shadow bytes around the buggy address: + 0x0000800c0df0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9 + 0x0000800c0e00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9 + 0x0000800c0e10: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 01 + 0x0000800c0e20: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9 + 0x0000800c0e30: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 05 f9 +=>0x0000800c0e40: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00[07]f9 f9 + 0x0000800c0e50: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 00 07 + 0x0000800c0e60: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 + 0x0000800c0e70: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0000800c0e80: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0000800c0e90: 00 00 03 f9 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==16657==ABORTING diff --git a/tests/fuzz-tests/images/bko-161811.raw.xz b/tests/fuzz-tests/images/bko-161811.raw.xz new file mode 100644 index 00000000..8ac31951 Binary files /dev/null and b/tests/fuzz-tests/images/bko-161811.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-161821.raw.txt b/tests/fuzz-tests/images/bko-161821.raw.txt new file mode 100644 index 00000000..c06b0ea7 --- /dev/null +++ b/tests/fuzz-tests/images/bko-161821.raw.txt @@ -0,0 +1,42 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=161821 +Lukas Lueg 2016-09-16 20:45:58 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +The juicy parts: + +==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0) + #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 + #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2 + #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8 + #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10 + #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8 + #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +parent transid verify failed on 4198400 wanted 14 found 1114126 +parent transid verify failed on 4198400 wanted 14 found 1114126 +Ignoring transid failure +ASAN:DEADLYSIGNAL +================================================================= +==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0) + #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 + #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2 + #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8 + #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10 + #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8 + #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10 + #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8 + #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 in extent_buffer_get +==29097==ABORTING diff --git a/tests/fuzz-tests/images/bko-161821.raw.xz b/tests/fuzz-tests/images/bko-161821.raw.xz new file mode 100644 index 00000000..6c673ea4 Binary files /dev/null and b/tests/fuzz-tests/images/bko-161821.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-167551.raw.txt b/tests/fuzz-tests/images/bko-167551.raw.txt new file mode 100644 index 00000000..c2ae8548 --- /dev/null +++ b/tests/fuzz-tests/images/bko-167551.raw.txt @@ -0,0 +1,29 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167551 +Lukas Lueg 2016-09-17 18:32:31 UTC + +More news from the fuzzer. The attached image causes btrfsck to enter what +seems to be an endless loop; using btrfs-progs v4.7.2-55-g2b7c507 + +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck hang000022.img +Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64 +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGINT, Interrupt. +0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628 +628 { +Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64 +#0 0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628 +#1 0x0000000000444be3 in read_tree_block_fs_info (fs_info=0x6b53a0, bytenr=4198400, blocksize=4096, parent_transid=14) at disk-io.c:339 +#2 0x0000000000440845 in btrfs_search_slot (trans=, root=, key=, p=, + ins_len=, cow=) at ctree.c:1175 +#3 0x000000000044bf8a in find_first_block_group (root=0x6b5850, path=0x6b41d0, key=0x7fffffffde78) at extent-tree.c:3142 +#4 0x000000000044bd3a in btrfs_read_block_groups (root=0x6b5850) at extent-tree.c:3240 +#5 0x00000000004464b3 in btrfs_setup_all_roots (fs_info=0x6b53a0, root_tree_bytenr=4202496, flags=) at disk-io.c:1077 +#6 0x0000000000446fc5 in __open_ctree_fd (fp=, path=, sb_bytenr=65536, root_tree_bytenr=, + chunk_root_bytenr=, flags=) at disk-io.c:1341 +#7 0x0000000000446d65 in open_ctree_fs_info (filename=0x7fffffffe4f5 "hang000022.img", sb_bytenr=0, root_tree_bytenr=0, + chunk_root_bytenr=0, flags=64) at disk-io.c:1387 +#8 0x000000000041bbe2 in cmd_check (argc=, argv=) at cmds-check.c:11382 +#9 0x000000000040a10d in main (argc=, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-167551.raw.xz b/tests/fuzz-tests/images/bko-167551.raw.xz new file mode 100644 index 00000000..2292fb4b Binary files /dev/null and b/tests/fuzz-tests/images/bko-167551.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-167781.raw.txt b/tests/fuzz-tests/images/bko-167781.raw.txt new file mode 100644 index 00000000..f185fb6f --- /dev/null +++ b/tests/fuzz-tests/images/bko-167781.raw.txt @@ -0,0 +1,297 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167781 +Lukas Lueg 2016-09-17 19:01:47 UTC + +More news from the fuzzer. The attached image causes btrfsck to overflow it's +stack by what seems to be an infinite (or at least sufficiently deep) recursion +in resolve_one_root(); using btrfs-progs v4.7-42-g56e9586. + + +checking extents +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +bad extent [131072, 135168), type mismatch with chunk +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bd20 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +Errors found in extent allocation tree or chunk allocation +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +ASAN:DEADLYSIGNAL +================================================================= +==9638==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc0e2d1ff8 (pc 0x0000005f2ed7 bp 0x7ffc0e2d2010 sp 0x7ffc0e2d2000 T0) + #0 0x5f2ed6 in find_ref_bytenr /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46 + #1 0x5f2cba in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:560:20 + #2 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #3 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #4 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #5 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #6 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #7 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #8 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #9 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #10 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #11 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #12 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #13 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #14 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #15 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #16 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #17 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #18 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #19 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #20 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #21 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #22 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #23 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #24 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #25 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #26 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #27 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #28 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #29 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #30 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #31 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #32 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #33 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #34 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #35 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #36 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #37 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #38 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #39 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #40 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #41 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #42 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #43 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #44 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #45 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #46 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #47 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #48 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #49 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #50 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #51 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #52 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #53 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #54 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #55 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #56 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #57 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #58 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #59 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #60 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #61 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #62 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #63 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #64 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #65 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #66 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #67 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #68 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #69 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #70 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #71 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #72 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #73 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #74 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #75 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #76 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #77 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #78 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #79 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #80 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #81 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #82 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #83 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #84 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #85 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #86 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #87 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #88 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #89 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #90 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #91 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #92 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #93 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #94 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #95 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #96 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #97 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #98 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #99 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #100 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #101 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #102 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #103 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #104 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #105 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #106 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #107 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #108 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #109 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #110 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #111 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #112 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #113 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #114 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #115 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #116 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #117 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #118 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #119 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #120 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #121 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #122 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #123 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #124 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #125 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #126 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #127 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #128 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #129 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #130 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #131 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #132 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #133 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #134 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #135 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #136 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #137 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #138 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #139 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #140 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #141 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #142 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #143 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #144 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #145 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #146 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #147 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #148 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #149 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #150 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #151 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #152 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #153 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #154 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #155 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #156 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #157 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #158 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #159 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #160 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #161 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #162 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #163 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #164 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #165 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #166 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #167 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #168 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #169 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #170 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #171 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #172 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #173 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #174 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #175 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #176 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #177 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #178 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #179 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #180 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #181 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #182 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #183 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #184 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #185 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #186 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #187 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #188 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #189 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #190 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #191 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #192 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #193 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #194 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #195 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #196 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #197 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #198 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #199 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #200 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #201 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #202 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #203 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #204 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #205 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #206 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #207 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #208 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #209 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #210 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #211 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #212 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #213 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #214 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #215 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #216 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #217 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #218 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #219 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #220 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #221 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #222 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #223 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #224 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #225 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #226 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #227 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #228 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #229 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #230 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #231 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #232 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #233 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #234 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #235 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #236 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #237 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #238 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #239 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #240 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #241 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #242 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #243 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #244 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #245 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #246 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #247 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #248 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #249 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #250 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + #251 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9 + +SUMMARY: AddressSanitizer: stack-overflow /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46 in find_ref_bytenr +==9638==ABORTING diff --git a/tests/fuzz-tests/images/bko-167781.raw.xz b/tests/fuzz-tests/images/bko-167781.raw.xz new file mode 100644 index 00000000..a4bd1de5 Binary files /dev/null and b/tests/fuzz-tests/images/bko-167781.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-167921.raw.txt b/tests/fuzz-tests/images/bko-167921.raw.txt new file mode 100644 index 00000000..04ae8a19 --- /dev/null +++ b/tests/fuzz-tests/images/bko-167921.raw.txt @@ -0,0 +1,55 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=167921 +Lukas Lueg 2016-09-17 19:16:19 UTC + +More news from the fuzzer. The attached image causes a call to abort() when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x000000000042390b in run_next_block (root=, bits=, bits_nr=1024, last=, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=, + ri=) at cmds-check.c:6424 +#3 0x0000000000421d9b in deal_root_from_list (list=, root=, bits=, bits_nr=1024, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=) + at cmds-check.c:8391 +#4 0x000000000041d1d2 in check_chunks_and_extents (root=) at cmds-check.c:8567 +#5 0x000000000041bf0b in cmd_check (argc=, argv=) at cmds-check.c:11493 +#6 0x000000000040a10d in main (argc=, argv=0x7fffffffe218) at btrfs.c:243 + +parent transid verify failed on 4194304 wanted 65305493131755520 found 14 +parent transid verify failed on 4194304 wanted 65305493131755520 found 14 +Ignoring transid failure +Checking filesystem on crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img +UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306 +checking extents/bin/sh: line 3: 3091 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000160.img +Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64 +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". +[Inferior 1 (process 21730) exited with code 0376] +Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64 +No stack. +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000162.img +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x000000000042390b in run_next_block (root=, bits=, bits_nr=1024, last=, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=, + ri=) at cmds-check.c:6424 +#3 0x0000000000421d9b in deal_root_from_list (list=, root=, bits=, bits_nr=1024, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=) + at cmds-check.c:8391 +#4 0x000000000041d1d2 in check_chunks_and_extents (root=) at cmds-check.c:8567 +#5 0x000000000041bf0b in cmd_check (argc=, argv=) at cmds-check.c:11493 +#6 0x000000000040a10d in main (argc=, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-167921.raw.xz b/tests/fuzz-tests/images/bko-167921.raw.xz new file mode 100644 index 00000000..41d7157e Binary files /dev/null and b/tests/fuzz-tests/images/bko-167921.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-168301.raw.txt b/tests/fuzz-tests/images/bko-168301.raw.txt new file mode 100644 index 00000000..9f3bab87 --- /dev/null +++ b/tests/fuzz-tests/images/bko-168301.raw.txt @@ -0,0 +1,51 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=168301 +Lukas Lueg 2016-09-17 20:00:11 UTC + +More news from the fuzzer. The attached image causes a call to abort() when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=, + root=, owner=, offset=, num_refs=, found_ref=, + max_size=4096) at cmds-check.c:4856 +#3 0x00000000004234bd in run_next_block (root=, bits=, bits_nr=1024, last=, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=, + ri=) at cmds-check.c:6388 +#4 0x0000000000421d9b in deal_root_from_list (list=, root=, bits=, bits_nr=1024, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=) + at cmds-check.c:8391 +#5 0x000000000041d160 in check_chunks_and_extents (root=) at cmds-check.c:8558 +#6 0x000000000041bf0b in cmd_check (argc=, argv=) at cmds-check.c:11493 +#7 0x000000000040a10d in main (argc=, argv=0x7fffffffe218) at btrfs.c:243 + +Checking filesystem on crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img +UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306 +checking extents/bin/sh: line 3: 4644 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img +Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000170.img +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib64/libthread_db.so.1". + +Program received signal SIGABRT, Aborted. +0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6 +#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6 +#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=, + root=, owner=, offset=, num_refs=, found_ref=, + max_size=4096) at cmds-check.c:4856 +#3 0x00000000004234bd in run_next_block (root=, bits=, bits_nr=1024, last=, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=, + ri=) at cmds-check.c:6388 +#4 0x0000000000421d9b in deal_root_from_list (list=, root=, bits=, bits_nr=1024, + pending=, seen=, reada=, nodes=, extent_cache=, + chunk_cache=, dev_cache=, block_group_cache=, dev_extent_cache=) + at cmds-check.c:8391 +#5 0x000000000041d160 in check_chunks_and_extents (root=) at cmds-check.c:8558 +#6 0x000000000041bf0b in cmd_check (argc=, argv=) at cmds-check.c:11493 +#7 0x000000000040a10d in main (argc=, argv=0x7fffffffe218) at btrfs.c:243 +quit diff --git a/tests/fuzz-tests/images/bko-168301.raw.xz b/tests/fuzz-tests/images/bko-168301.raw.xz new file mode 100644 index 00000000..4c7f4623 Binary files /dev/null and b/tests/fuzz-tests/images/bko-168301.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt new file mode 100644 index 00000000..c5ec8ee1 --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.txt @@ -0,0 +1,134 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301 +Lukas Lueg 2016-09-18 09:07:55 UTC + +More news from the fuzzer. The attached image causes a heap-use-after-free +when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013 + +==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8 +READ of size 4 at 0x621000014170 thread T0 + #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 + #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3 + #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2 + #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9 + #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2 + #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +Probably somewhat related to this: The image crash000255.img causes btrfsck to +try to allocate around 3.5gb of memory in one chunk, sending ASAN into a death +spiral. On systems with sufficient memory, the heap-use-after-free turns up. + +parent transid verify failed on 0 wanted 3472328296227680304 found 0 +parent transid verify failed on 0 wanted 3472328296227680304 found 0 +Ignoring transid failure +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [0 4096] extent item 0, found 1 +Backref 0 parent 0 root 0 not found in extent tree +backpointer mismatch on [0 4096] +bad extent [0, 4096), type mismatch with chunk +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60700000ddf0 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +checking free space cache +checking fs roots +root 5 root dir 3472328296227680304 not found +checking csums +checking root refs +checking quota groups +ERROR: while mapping refs: -5 +================================================================= +==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8 +READ of size 4 at 0x621000014170 thread T0 + #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 + #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3 + #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2 + #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9 + #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2 + #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +0x621000014170 is located 112 bytes inside of 4224-byte region [0x621000014100,0x621000015180) +freed by thread T0 here: + #0 0x4bf990 in __interceptor_cfree.localalias.1 (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bf990) + #1 0x5c0582 in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:591:3 + #2 0x5c1b18 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:644:4 + #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5f2d74 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x5f2b52 in travel_tree /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7 + #7 0x5f299b in add_refs_for_implied /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #8 0x5efd39 in map_implied_refs /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #9 0x5eed89 in qgroup_verify_all /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #10 0x51ea14 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #11 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #12 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +previously allocated by thread T0 here: + #0 0x4bfca0 in calloc (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0) + #1 0x5c16ca in __alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #2 0x5c1b26 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #5 0x5918a2 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #6 0x591712 in find_and_setup_root /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:647:15 + #7 0x593243 in setup_root_or_create_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:966:8 + #8 0x592a06 in btrfs_setup_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1045:8 + #9 0x5948fe in __open_ctree_fd /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1341:8 + #10 0x5942b5 in open_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1387:9 + #11 0x51dff2 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9 + #12 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #13 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730) + +SUMMARY: AddressSanitizer: heap-use-after-free /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 in free_extent_buffer +Shadow bytes around the buggy address: + 0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c427fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd + 0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==3439==ABORTING diff --git a/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz new file mode 100644 index 00000000..70c2b22f Binary files /dev/null and b/tests/fuzz-tests/images/bko-169301-1-blocksize-zero.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt new file mode 100644 index 00000000..0af00ec6 --- /dev/null +++ b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.txt @@ -0,0 +1,185 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301 +Lukas Lueg 2016-09-18 09:07:55 UTC + +parent transid verify failed on 4231168 wanted 274877906948 found 4 +Ignoring transid failure +parent transid verify failed on 4222976 wanted 3472328296227680304 found 4 +parent transid verify failed on 4222976 wanted 3472328296227680304 found 4 +Ignoring transid failure +checking extents +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +ref mismatch on [131072 4096] extent item 0, found 1 +Backref 131072 parent 3 root 3 not found in extent tree +backpointer mismatch on [131072 4096] +ref mismatch on [4194304 4096] extent item 0, found 1 +Backref 4194304 parent 5 root 5 not found in extent tree +backpointer mismatch on [4194304 4096] +ref mismatch on [4198400 4096] extent item 0, found 1 +Backref 4198400 parent 1 root 1 not found in extent tree +backpointer mismatch on [4198400 4096] +ref mismatch on [4231168 4096] extent item 0, found 1 +Backref 4231168 parent 7 root 7 not found in extent tree +backpointer mismatch on [4231168 4096] +ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1 +Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree +Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bc20 +backpointer mismatch on [3472328296227680304 3472328296227680304] +Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1] +Errors found in extent allocation tree or chunk allocation +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +==23294==ERROR: AddressSanitizer failed to allocate 0xe4ff4000 (3841933312) bytes of LargeMmapAllocator (error code: 12) +==23294==Process memory map follows: + 0x000000400000-0x0000006a6000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008a6000-0x0000008b9000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008b9000-0x0000008ef000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs + 0x0000008ef000-0x000001567000 + 0x00007fff7000-0x00008fff7000 + 0x00008fff7000-0x02008fff7000 + 0x02008fff7000-0x10007fff8000 + 0x600000000000-0x602000000000 + 0x602000000000-0x602000010000 + 0x602000010000-0x603000000000 + 0x603000000000-0x603000010000 + 0x603000010000-0x604000000000 + 0x604000000000-0x604000010000 + 0x604000010000-0x606000000000 + 0x606000000000-0x606000010000 + 0x606000010000-0x607000000000 + 0x607000000000-0x607000010000 + 0x607000010000-0x608000000000 + 0x608000000000-0x608000010000 + 0x608000010000-0x60c000000000 + 0x60c000000000-0x60c000010000 + 0x60c000010000-0x60d000000000 + 0x60d000000000-0x60d000010000 + 0x60d000010000-0x60e000000000 + 0x60e000000000-0x60e000010000 + 0x60e000010000-0x611000000000 + 0x611000000000-0x611000010000 + 0x611000010000-0x616000000000 + 0x616000000000-0x616000020000 + 0x616000020000-0x619000000000 + 0x619000000000-0x619000020000 + 0x619000020000-0x621000000000 + 0x621000000000-0x621000020000 + 0x621000020000-0x624000000000 + 0x624000000000-0x624000020000 + 0x624000020000-0x629000000000 + 0x629000000000-0x629000010000 + 0x629000010000-0x640000000000 + 0x640000000000-0x640000003000 + 0x7f62fb97e000-0x7f62fdcd0000 + 0x7f62fdcd0000-0x7f62fde89000 /usr/lib64/libc-2.23.so + 0x7f62fde89000-0x7f62fe088000 /usr/lib64/libc-2.23.so + 0x7f62fe088000-0x7f62fe08c000 /usr/lib64/libc-2.23.so + 0x7f62fe08c000-0x7f62fe08e000 /usr/lib64/libc-2.23.so + 0x7f62fe08e000-0x7f62fe092000 + 0x7f62fe092000-0x7f62fe0a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe0a8000-0x7f62fe2a7000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a7000-0x7f62fe2a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a8000-0x7f62fe2a9000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1 + 0x7f62fe2a9000-0x7f62fe2ac000 /usr/lib64/libdl-2.23.so + 0x7f62fe2ac000-0x7f62fe4ab000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ab000-0x7f62fe4ac000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ac000-0x7f62fe4ad000 /usr/lib64/libdl-2.23.so + 0x7f62fe4ad000-0x7f62fe5b5000 /usr/lib64/libm-2.23.so + 0x7f62fe5b5000-0x7f62fe7b4000 /usr/lib64/libm-2.23.so + 0x7f62fe7b4000-0x7f62fe7b5000 /usr/lib64/libm-2.23.so + 0x7f62fe7b5000-0x7f62fe7b6000 /usr/lib64/libm-2.23.so + 0x7f62fe7b6000-0x7f62fe7bd000 /usr/lib64/librt-2.23.so + 0x7f62fe7bd000-0x7f62fe9bc000 /usr/lib64/librt-2.23.so + 0x7f62fe9bc000-0x7f62fe9bd000 /usr/lib64/librt-2.23.so + 0x7f62fe9bd000-0x7f62fe9be000 /usr/lib64/librt-2.23.so + 0x7f62fe9be000-0x7f62fe9d5000 /usr/lib64/libpthread-2.23.so + 0x7f62fe9d5000-0x7f62febd4000 /usr/lib64/libpthread-2.23.so + 0x7f62febd4000-0x7f62febd5000 /usr/lib64/libpthread-2.23.so + 0x7f62febd5000-0x7f62febd6000 /usr/lib64/libpthread-2.23.so + 0x7f62febd6000-0x7f62febda000 + 0x7f62febda000-0x7f62febfc000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62febfc000-0x7f62fedfb000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62fedfb000-0x7f62fedfc000 /usr/lib64/liblzo2.so.2.0.0 + 0x7f62fedfc000-0x7f62fedfd000 + 0x7f62fedfd000-0x7f62fee12000 /usr/lib64/libz.so.1.2.8 + 0x7f62fee12000-0x7f62ff011000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff011000-0x7f62ff012000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff012000-0x7f62ff013000 /usr/lib64/libz.so.1.2.8 + 0x7f62ff013000-0x7f62ff050000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff050000-0x7f62ff250000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff250000-0x7f62ff254000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff254000-0x7f62ff255000 /usr/lib64/libblkid.so.1.1.0 + 0x7f62ff255000-0x7f62ff256000 + 0x7f62ff256000-0x7f62ff25a000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff25a000-0x7f62ff459000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff459000-0x7f62ff45a000 /usr/lib64/libuuid.so.1.3.0 + 0x7f62ff45a000-0x7f62ff45b000 + 0x7f62ff45b000-0x7f62ff45d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff45d000-0x7f62ff65c000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65c000-0x7f62ff65d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65d000-0x7f62ff65e000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so + 0x7f62ff65e000-0x7f62ff682000 /usr/lib64/ld-2.23.so + 0x7f62ff810000-0x7f62ff879000 + 0x7f62ff879000-0x7f62ff881000 + 0x7f62ff881000-0x7f62ff882000 /usr/lib64/ld-2.23.so + 0x7f62ff882000-0x7f62ff883000 /usr/lib64/ld-2.23.so + 0x7f62ff883000-0x7f62ff884000 + 0x7fff5a065000-0x7fff5a086000 [stack] + 0x7fff5a0c7000-0x7fff5a0ca000 [vvar] + 0x7fff5a0ca000-0x7fff5a0cc000 [vdso] + 0xffffffffff600000-0xffffffffff601000 [vsyscall] +==23294==End of process memory map. +==23294==AddressSanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-3.8.0.src/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) + #0 0x4c90cd in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4c90cd) + #1 0x4cfa73 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfa73) + #2 0x4cfc61 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfc61) + #3 0x4d8922 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4d8922) + #4 0x42dbab in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x42dbab) + #5 0x4259fb in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4259fb) + #6 0x4bfd1a in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfd1a) + #7 0x5c181a in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7 + #8 0x5c1c76 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8 + #9 0x58e01c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9 + #10 0x58ea90 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7 + #11 0x5f2f84 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9 + #12 0x5f2d62 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7 + #13 0x5f2bab in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #14 0x5eff59 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #15 0x5eefa9 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #16 0x51f08f in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11637:9 + #17 0x4f0f81 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #18 0x7f62fdcf0730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #19 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4213f8) + +checking free space cache +checking fs roots +checking csums +checking root refs +checking quota groups +ERROR: while mapping refs: -5 +checking extentsErrors found in extent allocation tree or chunk allocationfound 3472328296227696688 bytes used err is 0 +total csum bytes: 0 +total tree bytes: 16384 +total fs tree bytes: 4096 +total extent tree bytes: 0 +btree space waste bytes: 12674 +file data blocks allocated: 3472328296227680304 + referenced 3472328296227680304 +extent_io.c:580: free_extent_buffer: Assertion `eb->refs < 0` failed. +../btrfs[0x47a4a3] +../btrfs[0x47a550] +../btrfs(free_extent_buffer+0x6e)[0x47b73c] +../btrfs(btrfs_release_all_roots+0x8c)[0x461cdf] +../btrfs(close_ctree_fs_info+0x1f3)[0x46391a] +../btrfs[0x424043] +../btrfs(cmd_check+0xe1a)[0x43f352] +../btrfs(main+0x12b)[0x40b581] +/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f970daf3291] +../btrfs(_start+0x2a)[0x40afba] diff --git a/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz new file mode 100644 index 00000000..68f7ffd4 Binary files /dev/null and b/tests/fuzz-tests/images/bko-169301-2-blocksize-zero.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-172811.raw.txt b/tests/fuzz-tests/images/bko-172811.raw.txt new file mode 100644 index 00000000..bbdf99b5 --- /dev/null +++ b/tests/fuzz-tests/images/bko-172811.raw.txt @@ -0,0 +1,55 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=172811 +Lukas Lueg 2016-09-23 18:34:15 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +This may be the same cause as 156721, the call-tree is different, though. + +The juicy parts: + +==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0) + #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f) + #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c) + #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2 + #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2 + #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3 + #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +parent transid verify failed on 4198400 wanted 65305493131755520 found 14 +parent transid verify failed on 4198400 wanted 65305493131755520 found 14 +Ignoring transid failure +ERROR: add_tree_backref failed: File exists +ERROR: add_tree_backref failed: File exists +parent transid verify failed on 131072 wanted 36283884678912 found 4 +parent transid verify failed on 131072 wanted 36283884678912 found 4 +Ignoring transid failure +ERROR: tree block bytenr 1280 is not aligned to sectorsize 4096 +checking free space cache +checking fs roots +root 5 root dir 41471 not found +parent transid verify failed on 4198400 wanted 4 found 14 +Ignoring transid failure +parent transid verify failed on 131072 wanted 36283884678912 found 4 +Ignoring transid failure +ASAN:DEADLYSIGNAL +================================================================= +==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0) + #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f) + #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c) + #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2 + #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2 + #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3 + #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10 + #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8 + #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV (/lib64/libc.so.6+0x149f4f) in __memmove_avx_unaligned +==19342==ABORTING diff --git a/tests/fuzz-tests/images/bko-172811.raw.xz b/tests/fuzz-tests/images/bko-172811.raw.xz new file mode 100644 index 00000000..08546c2b Binary files /dev/null and b/tests/fuzz-tests/images/bko-172811.raw.xz differ diff --git a/tests/fuzz-tests/images/bko-172861.raw.txt b/tests/fuzz-tests/images/bko-172861.raw.txt new file mode 100644 index 00000000..f395333f --- /dev/null +++ b/tests/fuzz-tests/images/bko-172861.raw.txt @@ -0,0 +1,68 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=172861 +Lukas Lueg 2016-09-24 15:40:54 UTC + +More news from the fuzzer. The attached image causes a segmentation fault when +running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507 + +The juicy parts: + +==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0) + #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 + #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17 + #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9 + #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9 + #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +Extent back ref already exists for 0 parent 0 root 0 +Extent back ref already exists for 0 parent 0 root 0 +Extent back ref already exists for 0 parent 0 root 0 +Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group +Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent +Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group +Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent +Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group +Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent +Chunk[256, 228, 7471104]: length(9306112), offset(7471104), type(5) is not found in block group +Chunk[256, 228, 7471104] stripe[1, 7471104] is not found in dev extent +ref mismatch on [0 4096] extent item 0, found 4 +Backref 0 parent 0 root 0 not found in extent tree +Incorrect global backref count on 0 found 1 wanted 4 +backpointer mismatch on [0 4096] +bad extent [0, 4096), type mismatch with chunk +ref mismatch on [135168 4096] extent item 0, found 1 +Backref 135168 parent 3 root 3 not found in extent tree +backpointer mismatch on [135168 4096] +ref mismatch on [4202496 4096] extent item 0, found 1 +Backref 4202496 parent 1 root 1 not found in extent tree +backpointer mismatch on [4202496 4096] +Dev extent's total-byte(0) is not equal to byte-used(16777216) in dev[1, 216, 1] +checking free space cache +checking fs roots +root 5 root dir 0 not found +checking csums +checking root refs +checking quota groups +ASAN:DEADLYSIGNAL +================================================================= +==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0) + #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 + #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17 + #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9 + #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9 + #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8 + #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9 + #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8 + #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9 + #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 in btrfs_file_extent_type +==12279==ABORTING diff --git a/tests/fuzz-tests/images/bko-172861.raw.xz b/tests/fuzz-tests/images/bko-172861.raw.xz new file mode 100644 index 00000000..c57661d9 Binary files /dev/null and b/tests/fuzz-tests/images/bko-172861.raw.xz differ