Bug 199915 - NULL pointer dereference in xfs_bmap_extents_to_btree() when mounting and operating a crafted image
Summary: NULL pointer dereference in xfs_bmap_extents_to_btree() when mounting and ope...
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: XFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: FileSystem/XFS Default Virtual Assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-03 22:14 UTC by Wen Xu
Modified: 2019-01-10 23:06 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.17
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (49.51 KB, application/zip)
2018-06-03 22:14 UTC, Wen Xu
Details
poc.c (3.18 KB, text/plain)
2018-06-03 22:15 UTC, Wen Xu
Details
Proposed patch (476 bytes, patch)
2018-06-03 22:15 UTC, Wen Xu
Details | Diff
kernel config (kasan enabled) (127.84 KB, text/x-mpsub)
2018-06-03 22:15 UTC, Wen Xu
Details

Description Wen Xu 2018-06-03 22:14:41 UTC
Created attachment 276307 [details]
The (compressed) crafted image which causes crash

- Overview
NULL pointer dereference in xfs_bmap_extents_to_btree() when mounting and operating a crafted image

- Reproduce (for-next branch of xfs-linux, 4.17-rc4)
# mkdir mnt
# mount -t xfs 20.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Kernel message
[15550.146629] BUG: unable to handle kernel NULL pointer dereference at 0000000000000168
[15550.148251] PGD 80000001f0183067 P4D 80000001f0183067 PUD 1ee9bf067 PMD 0
[15550.149654] Oops: 0002 [#1] SMP KASAN PTI
[15550.150482] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl crct10dif_pclmul crc32_pclmul drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm aes_x86_64 drm crypto_simd cryptd glue_helper 8139cp floppy mii pata_acpi
[15550.176537] CPU: 0 PID: 1517 Comm: poc Tainted: G    B   W         4.17.0-rc4 #1
[15550.178003] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[15550.179858] RIP: 0010:xfs_bmap_extents_to_btree+0x3cb/0x940
[15550.180964] RSP: 0018:ffff8801e0c4ea48 EFLAGS: 00010282
[15550.182008] RAX: 0000000000000000 RBX: ffff8801ea748000 RCX: 0000000000000000
[15550.183406] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000090
[15550.184804] RBP: ffff8801e0c4ec58 R08: ffffed003ee03ebb R09: ffffed003ee03ebb
[15550.186308] R10: 0000000000000001 R11: ffffed003ee03eba R12: ffff8801e26f2b40
[15550.187700] R13: 0000000000000000 R14: ffff8801e0c4ec30 R15: ffff8801e5a99100
[15550.189094] FS:  00007fa3a04ae700(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000
[15550.190684] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[15550.191812] CR2: 0000000000000168 CR3: 00000001e507a000 CR4: 00000000000006f0
[15550.193215] Call Trace:
[15550.193723]  ? xfs_bmse_can_merge+0xb0/0xb0
[15550.194556]  ? krealloc+0x8b/0xd0
[15550.195225]  ? __kasan_slab_free+0x151/0x1a0
[15550.196076]  ? krealloc+0x8b/0xd0
[15550.196745]  ? kasan_slab_free+0xe/0x10
[15550.197523]  ? kfree+0x8c/0x1c0
[15550.198163]  xfs_bmap_add_extent_hole_real+0xbea/0xd80
[15550.199186]  ? xfs_bmap_add_extent_hole_delay+0x5e0/0x5e0
[15550.200261]  ? xfs_bmap_adjacent+0x7c0/0x7c0
[15550.201116]  ? is_bpf_text_address+0xe/0x20
[15550.201963]  ? xfs_bmap_add_extent_unwritten_real+0x1820/0x1820
[15550.203138]  xfs_bmapi_write+0xcb9/0x1190
[15550.203945]  ? __kprobes_text_end+0x327d0/0x327d0
[15550.204884]  ? xfs_bmapi_read+0x620/0x620
[15550.205701]  ? is_bpf_text_address+0xe/0x20
[15550.206537]  ? kernel_text_address+0xd6/0xf0
[15550.207389]  ? __kernel_text_address+0x12/0x40
[15550.208274]  ? xfs_iext_get_extent+0x27/0x190
[15550.209145]  ? kmem_alloc+0x91/0x120
[15550.209872]  xfs_da_grow_inode_int+0x3c4/0x5d0
[15550.210759]  ? xfs_default_hashname+0x40/0x40
[15550.211628]  ? unwind_next_frame.part.5+0x34f/0x490
[15550.212596]  ? unwind_dump+0x290/0x290
[15550.213359]  xfs_dir2_grow_inode+0x120/0x2d0
[15550.214212]  ? xfs_dir_cilookup_result+0xc0/0xc0
[15550.215133]  ? kvfree+0x3f/0x50
[15550.215767]  ? xfs_idata_realloc+0xd2/0x160
[15550.216601]  xfs_dir2_sf_to_block+0x1b6/0xc30
[15550.217483]  ? save_stack+0xb5/0xd0
[15550.218185]  ? save_stack+0x46/0xd0
[15550.218887]  ? kasan_kmalloc+0xad/0xe0
[15550.219640]  ? __kmalloc+0x11f/0x240
[15550.220355]  ? kmem_alloc+0x91/0x120
[15550.221074]  ? xfs_dir_createname+0x169/0x430
[15550.221952]  ? xfs_rename+0xc00/0xee0
[15550.222687]  ? xfs_vn_rename+0x1d5/0x2a0
[15550.223469]  ? vfs_rename+0xaa5/0xde0
[15550.224203]  ? do_renameat2+0x7d2/0x860
[15550.224971]  ? xfs_dir2_leaf_to_block+0x730/0x730
[15550.225917]  ? xfs_trans_ijoin+0x6f/0x80
[15550.226704]  ? xfs_rename+0x6d0/0xee0
[15550.227438]  ? xfs_vn_rename+0x1d5/0x2a0
[15550.228222]  ? vfs_rename+0xaa5/0xde0
[15550.228955]  ? do_renameat2+0x7d2/0x860
[15550.229730]  ? __x64_sys_rename+0x3b/0x50
[15550.230532]  ? do_syscall_64+0x78/0x170
[15550.231301]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[15550.232338]  ? kasan_unpoison_shadow+0x36/0x50
[15550.233233]  ? kasan_kmalloc+0xad/0xe0
[15550.233986]  ? kasan_check_read+0x11/0x20
[15550.234788]  ? xlog_space_left+0x7f/0x130
[15550.235589]  ? xfs_ialloc_cluster_alignment+0x1c/0xb0
[15550.236609]  ? xfs_ialloc_agino_range+0xb0/0xc0
[15550.237539]  ? kasan_unpoison_shadow+0x36/0x50
[15550.238423]  xfs_dir2_sf_addname+0x18d/0xa00
[15550.239275]  ? __kmalloc+0x11f/0x240
[15550.239991]  ? kmem_alloc+0x91/0x120
[15550.240710]  ? xfs_ascii_ci_hashname+0x65/0xa0
[15550.241605]  xfs_dir_createname+0x3da/0x430
[15550.242448]  ? xfs_dir2_isleaf+0x120/0x120
[15550.243269]  ? memset+0x31/0x40
[15550.243906]  xfs_rename+0xc00/0xee0
[15550.244611]  ? xfs_remove+0x590/0x590
[15550.245362]  ? kasan_unpoison_shadow+0x36/0x50
[15550.246251]  ? kvfree+0x3f/0x50
[15550.246891]  ? __kasan_slab_free+0x151/0x1a0
[15550.247745]  ? kvfree+0x3f/0x50
[15550.248386]  ? apparmor_capable+0x167/0x270
[15550.249234]  ? map_id_up+0x14d/0x1f0
[15550.249956]  ? make_kprojid+0x20/0x20
[15550.250694]  ? get_cached_acl+0x9b/0x1e0
[15550.251481]  xfs_vn_rename+0x1d5/0x2a0
[15550.252240]  ? xfs_cleanup_inode+0xe0/0xe0
[15550.253061]  ? lockref_get+0xc2/0x140
[15550.253810]  ? blk_mq_debugfs_unregister_sched_hctx+0x50/0x50
[15550.254950]  ? generic_permission+0x102/0x1e0
[15550.255823]  ? _cond_resched+0x1a/0x50
[15550.256578]  ? down_write+0x41/0x50
[15550.257292]  vfs_rename+0xaa5/0xde0
[15550.257995]  ? memcg_kmem_put_cache+0x55/0xa0
[15550.258864]  ? __d_alloc+0x190/0x450
[15550.259583]  ? path_mountpoint+0x5b0/0x5b0
[15550.260401]  ? kasan_check_write+0x14/0x20
[15550.261234]  ? security_path_rename+0xcb/0x130
[15550.262121]  do_renameat2+0x7d2/0x860
[15550.262861]  ? user_path_create+0x40/0x40
[15550.263665]  ? up_write+0x16/0x40
[15550.264336]  ? kasan_check_write+0x14/0x20
[15550.265157]  ? lockref_put_return+0xd0/0x140
[15550.266023]  ? lockref_get_or_lock+0x160/0x160
[15550.266909]  ? kasan_check_read+0x11/0x20
[15550.267714]  ? mntput_no_expire+0x35/0x280
[15550.268534]  ? mntput+0x36/0x50
[15550.269171]  ? __fput+0x28d/0x380
[15550.269850]  ? task_work_run+0x4d/0xf0
[15550.270604]  ? mem_cgroup_handle_over_high+0x21/0xe0
[15550.271592]  __x64_sys_rename+0x3b/0x50
[15550.272365]  do_syscall_64+0x78/0x170
[15550.273102]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[15550.274116] RIP: 0033:0x7fa39ff34367
[15550.274834] RSP: 002b:00007ffcb6984168 EFLAGS: 00000202 ORIG_RAX: 0000000000000052
[15550.276320] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa39ff34367
[15550.284277] RDX: 000000000136f0a0 RSI: 000000000136f0a0 RDI: 000000000136f080
[15550.285691] RBP: 00007ffcb69842d0 R08: 0000000000000003 R09: 0000000000000000
[15550.287083] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400c20
[15550.288474] R13: 00007ffcb69843d0 R14: 0000000000000000 R15: 0000000000000000
[15550.289880] Code: ff 4c 89 e6 31 c9 4c 89 ff e8 f2 68 01 00 48 8d b8 68 01 00 00 49 89 c5 48 89 85 18 fe ff ff e8 7c 5e d9 ff 49 8d bd 90 00 00 00 <49> c7 85 68 01 00 00 60 65 77 89 e8 d5 5d d9 ff 49 8b 85 90 00
[15550.293613] RIP: xfs_bmap_extents_to_btree+0x3cb/0x940 RSP: ffff8801e0c4ea48
[15550.294987] CR2: 0000000000000168
[15550.295823] ---[ end trace cbec73dde6ad2852 ]---

- Reason
https://elixir.bootlin.com/linux/latest/source/fs/xfs/libxfs/xfs_bmap.c#L754
abp can be NULL.

- Patch
See the attached patch.

Found by Wen Xu from SSLab, Gatech.
Comment 1 Wen Xu 2018-06-03 22:15:00 UTC
Created attachment 276309 [details]
poc.c
Comment 2 Wen Xu 2018-06-03 22:15:23 UTC
Created attachment 276311 [details]
Proposed patch
Comment 3 Wen Xu 2018-06-03 22:15:53 UTC
Created attachment 276313 [details]
kernel config (kasan enabled)
Comment 4 billodo 2019-01-10 23:06:34 UTC
Is this still an issue?

Note You need to log in before you can comment on or make changes to this bug.