Bug 200297

Summary: Kernel panic in hfsplus_lookup() when open a file in a corrupted hfs+ filesystem
Product: File System Reporter: Wen Xu (wen.xu)
Component: HFS/HFSPLUSAssignee: fs_hfs (fs_hfs)
Status: NEW ---    
Severity: normal CC: wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash

Description Wen Xu 2018-06-27 04:00:18 UTC 
Created attachment 276899 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t hfsplus 0.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *foo_bar_baz;
  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

  int fd = open(foo_bar_baz, O_RDONLY, 0);
  if (fd >= 0) {
    read(fd, (char *)buf, 11);
    close(fd);
  }
  
}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  209.243197] hfsplus: Filesystem is marked locked, mounting read-only.
[  211.173471] BUG: unable to handle kernel paging request at ffffffffffffffc0
[  211.175011] PGD 1702a067 P4D 1702a067 PUD 1702c067 PMD 0
[  211.176146] Oops: 0000 [#1] SMP KASAN PTI
[  211.176995] CPU: 0 PID: 1411 Comm: a.out Not tainted 4.18.0-rc1+ #6
[  211.178287] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  211.180281] RIP: 0010:hfsplus_lookup+0x283/0x4e0
[  211.181248] Code: 44 8b bb 6c fd ff ff e8 bb c9 de ff 4d 8b b4 24 08 04 00 00 49 8d 7e 48 e8 aa c9 de ff 4d 8b 76 48 49 8d 7e c0 e8 9d c8 de ff <45> 3b 7e c0 74 4d 48 8b bd 40 fc ff ff e8 8b c9 de ff 49 8b 54 24
[  211.185082] RSP: 0018:ffff8801dd8376b0 EFLAGS: 00010246
[  211.186472] RAX: 0000000000000000 RBX: ffff8801dd837a58 RCX: ffffffffad5b0e33
[  211.187926] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffffffffc0
[  211.189399] RBP: ffff8801dd837a80 R08: ffffed003bb06f16 R09: ffffed003bb06f16
[  211.190845] R10: 0000000000000001 R11: ffffed003bb06f15 R12: ffff8801e3169980
[  211.192290] R13: ffff8801ea365700 R14: 0000000000000000 R15: 00000000c23b58d7
[  211.193752] FS:  00007f9bc79c3700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  211.195394] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  211.196570] CR2: ffffffffffffffc0 CR3: 00000001f1306000 CR4: 00000000000006f0
[  211.198035] Call Trace:
[  211.198564]  ? hfsplus_link+0x450/0x450
[  211.199394]  ? kasan_kmalloc+0xad/0xe0
[  211.200189]  ? d_alloc_parallel+0x5bb/0x8c0
[  211.201064]  ? __d_lookup_rcu+0x2e0/0x2e0
[  211.201896]  ? lookup_fast+0x32f/0x580
[  211.202701]  ? apparmor_capget+0x3d0/0x3d0
[  211.203544]  ? __d_lookup+0x49/0x250
[  211.204290]  ? __nd_alloc_stack+0xa0/0xa0
[  211.205133]  ? hfsplus_link+0x450/0x450
[  211.205930]  path_openat+0x1c90/0x2160
[  211.206710]  ? vfs_unlink+0x250/0x250
[  211.207474]  ? save_stack+0x46/0xd0
[  211.208201]  ? kasan_slab_alloc+0x11/0x20
[  211.209061]  ? kmem_cache_alloc+0xd1/0x1e0
[  211.209908]  ? getname_flags+0x76/0x2c0
[  211.210701]  ? getname+0x12/0x20
[  211.211378]  ? do_sys_open+0x14b/0x2c0
[  211.212155]  ? __x64_sys_open+0x4c/0x60
[  211.212968]  ? do_syscall_64+0x78/0x170
[  211.213805]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  211.214891]  ? add_to_page_cache_lru+0x190/0x190
[  211.215842]  ? __lru_cache_add+0xaf/0xd0
[  211.216662]  ? __handle_mm_fault+0x121a/0x19b0
[  211.217592]  do_filp_open+0x12b/0x1d0
[  211.218354]  ? may_open_dev+0x50/0x50
[  211.219117]  ? kasan_kmalloc+0xad/0xe0
[  211.219899]  do_sys_open+0x17c/0x2c0
[  211.220646]  ? do_sys_open+0x17c/0x2c0
[  211.221435]  ? filp_open+0x60/0x60
[  211.222152]  ? vm_brk+0x20/0x20
[  211.222809]  __x64_sys_open+0x4c/0x60
[  211.223571]  do_syscall_64+0x78/0x170
[  211.224335]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  211.225406] RIP: 0033:0x7f9bc74d5040
[  211.226143] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
[  211.229948] RSP: 002b:00007ffeafe701d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[  211.231471] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bc74d5040
[  211.232910] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001aed080
[  211.234357] RBP: 00007ffeafe70210 R08: 0000000001aed010 R09: 0000000000000000
[  211.235791] R10: 000000000000069d R11: 0000000000000246 R12: 00000000004005c0
[  211.237232] R13: 00007ffeafe70310 R14: 0000000000000000 R15: 0000000000000000
[  211.238675] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  211.248420] CR2: ffffffffffffffc0
[  211.249131] ---[ end trace 7f5a46c7478f1295 ]---
[  211.250078] RIP: 0010:hfsplus_lookup+0x283/0x4e0
[  211.251014] Code: 44 8b bb 6c fd ff ff e8 bb c9 de ff 4d 8b b4 24 08 04 00 00 49 8d 7e 48 e8 aa c9 de ff 4d 8b 76 48 49 8d 7e c0 e8 9d c8 de ff <45> 3b 7e c0 74 4d 48 8b bd 40 fc ff ff e8 8b c9 de ff 49 8b 54 24
[  211.254810] RSP: 0018:ffff8801dd8376b0 EFLAGS: 00010246
[  211.255864] RAX: 0000000000000000 RBX: ffff8801dd837a58 RCX: ffffffffad5b0e33
[  211.257301] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffffffffc0
[  211.258726] RBP: ffff8801dd837a80 R08: ffffed003bb06f16 R09: ffffed003bb06f16
[  211.260152] R10: 0000000000000001 R11: ffffed003bb06f15 R12: ffff8801e3169980
[  211.261589] R13: ffff8801ea365700 R14: 0000000000000000 R15: 00000000c23b58d7
[  211.263016] FS:  00007f9bc79c3700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  211.264633] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  211.267120] CR2: ffffffffffffffc0 CR3: 00000001f1306000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/dir.c#L81
				(entry.file.create_date ==
					HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
						create_date ||
Here `HFSPLUS_SB(sb)->hidden_dir` is NULL (perhaps not properly initialized)

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.