2006-10-27 15:14:48

by Eric Sesterhenn

[permalink] [raw]
Subject: EXT3 fuzzing

hi,

after fsfuzz
(http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
released i decided to give it a spin. So far I got two problematic
images:

http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
which makes the kernel use as much cpu as it can get

http://www.cobra-basket.de/ext3_memhog.img.bz2
eats all memory it can get

I enabled jbd debugging for a while, and the traces looked
similar, but made not much sense to me. kmemleak
locked my box, so I was not able to get some debugging
info from there.
To test the images, just mount them, and do an ls
on the image.

Greetings, Eric

--
http://www.cobra-basket.de -- just my stuff


2006-10-27 15:26:24

by Eric Sandeen

[permalink] [raw]
Subject: Re: EXT3 fuzzing

Eric Sesterhenn / Snakebyte wrote:
> hi,
>
> after fsfuzz
> (http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
> released i decided to give it a spin. So far I got two problematic
> images:
>
> http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
> which makes the kernel use as much cpu as it can get
>
> http://www.cobra-basket.de/ext3_memhog.img.bz2
> eats all memory it can get
>
> I enabled jbd debugging for a while, and the traces looked
> similar, but made not much sense to me. kmemleak
> locked my box, so I was not able to get some debugging
> info from there.
> To test the images, just mount them, and do an ls
> on the image.

Hi Eric, I recently posted a patch to LKML ([PATCH] handle ext3 directory
corruption better) to handle the broken fuzz cases I found. You might try again
w/ that patch... I can also give your images a whirl. With the patch I
submitted, I had thousands of successful fsfuzz runs. The only snag I hit was
actually an fsfuzz bug; lost+found/ had been fuzzed so it looked like a pipe,
and the "cat" part of the test hung up - not really an ext3 bug.

Thanks,

-Eric

2006-10-27 16:44:17

by Eric Sandeen

[permalink] [raw]
Subject: Re: EXT3 fuzzing

Eric Sandeen wrote:
> Eric Sesterhenn / Snakebyte wrote:
>> hi,
>>
>> after fsfuzz
>> (http://www.securityfocus.com/archive/1/449568/30/0/threaded) was
>> released i decided to give it a spin. So far I got two problematic
>> images:
>>
>> http://www.cobra-basket.de/ext3_ls_prozzy_hog.img.bz2
>> which makes the kernel use as much cpu as it can get
>>
>> http://www.cobra-basket.de/ext3_memhog.img.bz2
>> eats all memory it can get

Works for me w/ that patch:

[[email protected] ~]# mount -o loop ext3_ls_prozzy_hog.img mnt/
[[email protected] ~]# ls mnt/
[[email protected] ~]# dmesg | tail -n 6
EXT3-fs: mounted filesystem with ordered data mode.
EXT3-fs error (device loop0): htree_dirblock_to_tree: bad entry in
directory #2: rec_len % 4 != 0 - offset=24, inode=11, rec_len=989,
name_len=10
Aborting journal on device loop0.
ext3_abort called.
EXT3-fs error (device loop0): ext3_journal_start_sb: Detected aborted
journal
Remounting filesystem read-only


[[email protected] ~]# mount -o loop ext3_memhog.img mnt/
[[email protected] ~]# ls mnt
[[email protected] ~]# dmesg | tail -n 6
EXT3-fs: mounted filesystem with ordered data mode.
EXT3-fs error (device loop0): htree_dirblock_to_tree: bad entry in
directory #2: rec_len is smaller than minimal - offset=0, inode=75,
rec_len=0, name_len=0
Aborting journal on device loop0.
ext3_abort called.
EXT3-fs error (device loop0): ext3_journal_start_sb: Detected aborted
journal
Remounting filesystem read-only

-Eric