Created attachment 276307 [details] The (compressed) crafted image which causes crash - Overview NULL pointer dereference in xfs_bmap_extents_to_btree() when mounting and operating a crafted image - Reproduce (for-next branch of xfs-linux, 4.17-rc4) # mkdir mnt # mount -t xfs 20.img mnt # gcc -o poc poc.c # ./poc ./mnt - Kernel message [15550.146629] BUG: unable to handle kernel NULL pointer dereference at 0000000000000168 [15550.148251] PGD 80000001f0183067 P4D 80000001f0183067 PUD 1ee9bf067 PMD 0 [15550.149654] Oops: 0002 [#1] SMP KASAN PTI [15550.150482] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl crct10dif_pclmul crc32_pclmul drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm aes_x86_64 drm crypto_simd cryptd glue_helper 8139cp floppy mii pata_acpi [15550.176537] CPU: 0 PID: 1517 Comm: poc Tainted: G B W 4.17.0-rc4 #1 [15550.178003] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [15550.179858] RIP: 0010:xfs_bmap_extents_to_btree+0x3cb/0x940 [15550.180964] RSP: 0018:ffff8801e0c4ea48 EFLAGS: 00010282 [15550.182008] RAX: 0000000000000000 RBX: ffff8801ea748000 RCX: 0000000000000000 [15550.183406] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000090 [15550.184804] RBP: ffff8801e0c4ec58 R08: ffffed003ee03ebb R09: ffffed003ee03ebb [15550.186308] R10: 0000000000000001 R11: ffffed003ee03eba R12: ffff8801e26f2b40 [15550.187700] R13: 0000000000000000 R14: ffff8801e0c4ec30 R15: ffff8801e5a99100 [15550.189094] FS: 00007fa3a04ae700(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000 [15550.190684] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [15550.191812] CR2: 0000000000000168 CR3: 00000001e507a000 CR4: 00000000000006f0 [15550.193215] Call Trace: [15550.193723] ? xfs_bmse_can_merge+0xb0/0xb0 [15550.194556] ? krealloc+0x8b/0xd0 [15550.195225] ? __kasan_slab_free+0x151/0x1a0 [15550.196076] ? krealloc+0x8b/0xd0 [15550.196745] ? kasan_slab_free+0xe/0x10 [15550.197523] ? kfree+0x8c/0x1c0 [15550.198163] xfs_bmap_add_extent_hole_real+0xbea/0xd80 [15550.199186] ? xfs_bmap_add_extent_hole_delay+0x5e0/0x5e0 [15550.200261] ? xfs_bmap_adjacent+0x7c0/0x7c0 [15550.201116] ? is_bpf_text_address+0xe/0x20 [15550.201963] ? xfs_bmap_add_extent_unwritten_real+0x1820/0x1820 [15550.203138] xfs_bmapi_write+0xcb9/0x1190 [15550.203945] ? __kprobes_text_end+0x327d0/0x327d0 [15550.204884] ? xfs_bmapi_read+0x620/0x620 [15550.205701] ? is_bpf_text_address+0xe/0x20 [15550.206537] ? kernel_text_address+0xd6/0xf0 [15550.207389] ? __kernel_text_address+0x12/0x40 [15550.208274] ? xfs_iext_get_extent+0x27/0x190 [15550.209145] ? kmem_alloc+0x91/0x120 [15550.209872] xfs_da_grow_inode_int+0x3c4/0x5d0 [15550.210759] ? xfs_default_hashname+0x40/0x40 [15550.211628] ? unwind_next_frame.part.5+0x34f/0x490 [15550.212596] ? unwind_dump+0x290/0x290 [15550.213359] xfs_dir2_grow_inode+0x120/0x2d0 [15550.214212] ? xfs_dir_cilookup_result+0xc0/0xc0 [15550.215133] ? kvfree+0x3f/0x50 [15550.215767] ? xfs_idata_realloc+0xd2/0x160 [15550.216601] xfs_dir2_sf_to_block+0x1b6/0xc30 [15550.217483] ? save_stack+0xb5/0xd0 [15550.218185] ? save_stack+0x46/0xd0 [15550.218887] ? kasan_kmalloc+0xad/0xe0 [15550.219640] ? __kmalloc+0x11f/0x240 [15550.220355] ? kmem_alloc+0x91/0x120 [15550.221074] ? xfs_dir_createname+0x169/0x430 [15550.221952] ? xfs_rename+0xc00/0xee0 [15550.222687] ? xfs_vn_rename+0x1d5/0x2a0 [15550.223469] ? vfs_rename+0xaa5/0xde0 [15550.224203] ? do_renameat2+0x7d2/0x860 [15550.224971] ? xfs_dir2_leaf_to_block+0x730/0x730 [15550.225917] ? xfs_trans_ijoin+0x6f/0x80 [15550.226704] ? xfs_rename+0x6d0/0xee0 [15550.227438] ? xfs_vn_rename+0x1d5/0x2a0 [15550.228222] ? vfs_rename+0xaa5/0xde0 [15550.228955] ? do_renameat2+0x7d2/0x860 [15550.229730] ? __x64_sys_rename+0x3b/0x50 [15550.230532] ? do_syscall_64+0x78/0x170 [15550.231301] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [15550.232338] ? kasan_unpoison_shadow+0x36/0x50 [15550.233233] ? kasan_kmalloc+0xad/0xe0 [15550.233986] ? kasan_check_read+0x11/0x20 [15550.234788] ? xlog_space_left+0x7f/0x130 [15550.235589] ? xfs_ialloc_cluster_alignment+0x1c/0xb0 [15550.236609] ? xfs_ialloc_agino_range+0xb0/0xc0 [15550.237539] ? kasan_unpoison_shadow+0x36/0x50 [15550.238423] xfs_dir2_sf_addname+0x18d/0xa00 [15550.239275] ? __kmalloc+0x11f/0x240 [15550.239991] ? kmem_alloc+0x91/0x120 [15550.240710] ? xfs_ascii_ci_hashname+0x65/0xa0 [15550.241605] xfs_dir_createname+0x3da/0x430 [15550.242448] ? xfs_dir2_isleaf+0x120/0x120 [15550.243269] ? memset+0x31/0x40 [15550.243906] xfs_rename+0xc00/0xee0 [15550.244611] ? xfs_remove+0x590/0x590 [15550.245362] ? kasan_unpoison_shadow+0x36/0x50 [15550.246251] ? kvfree+0x3f/0x50 [15550.246891] ? __kasan_slab_free+0x151/0x1a0 [15550.247745] ? kvfree+0x3f/0x50 [15550.248386] ? apparmor_capable+0x167/0x270 [15550.249234] ? map_id_up+0x14d/0x1f0 [15550.249956] ? make_kprojid+0x20/0x20 [15550.250694] ? get_cached_acl+0x9b/0x1e0 [15550.251481] xfs_vn_rename+0x1d5/0x2a0 [15550.252240] ? xfs_cleanup_inode+0xe0/0xe0 [15550.253061] ? lockref_get+0xc2/0x140 [15550.253810] ? blk_mq_debugfs_unregister_sched_hctx+0x50/0x50 [15550.254950] ? generic_permission+0x102/0x1e0 [15550.255823] ? _cond_resched+0x1a/0x50 [15550.256578] ? down_write+0x41/0x50 [15550.257292] vfs_rename+0xaa5/0xde0 [15550.257995] ? memcg_kmem_put_cache+0x55/0xa0 [15550.258864] ? __d_alloc+0x190/0x450 [15550.259583] ? path_mountpoint+0x5b0/0x5b0 [15550.260401] ? kasan_check_write+0x14/0x20 [15550.261234] ? security_path_rename+0xcb/0x130 [15550.262121] do_renameat2+0x7d2/0x860 [15550.262861] ? user_path_create+0x40/0x40 [15550.263665] ? up_write+0x16/0x40 [15550.264336] ? kasan_check_write+0x14/0x20 [15550.265157] ? lockref_put_return+0xd0/0x140 [15550.266023] ? lockref_get_or_lock+0x160/0x160 [15550.266909] ? kasan_check_read+0x11/0x20 [15550.267714] ? mntput_no_expire+0x35/0x280 [15550.268534] ? mntput+0x36/0x50 [15550.269171] ? __fput+0x28d/0x380 [15550.269850] ? task_work_run+0x4d/0xf0 [15550.270604] ? mem_cgroup_handle_over_high+0x21/0xe0 [15550.271592] __x64_sys_rename+0x3b/0x50 [15550.272365] do_syscall_64+0x78/0x170 [15550.273102] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [15550.274116] RIP: 0033:0x7fa39ff34367 [15550.274834] RSP: 002b:00007ffcb6984168 EFLAGS: 00000202 ORIG_RAX: 0000000000000052 [15550.276320] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa39ff34367 [15550.284277] RDX: 000000000136f0a0 RSI: 000000000136f0a0 RDI: 000000000136f080 [15550.285691] RBP: 00007ffcb69842d0 R08: 0000000000000003 R09: 0000000000000000 [15550.287083] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400c20 [15550.288474] R13: 00007ffcb69843d0 R14: 0000000000000000 R15: 0000000000000000 [15550.289880] Code: ff 4c 89 e6 31 c9 4c 89 ff e8 f2 68 01 00 48 8d b8 68 01 00 00 49 89 c5 48 89 85 18 fe ff ff e8 7c 5e d9 ff 49 8d bd 90 00 00 00 <49> c7 85 68 01 00 00 60 65 77 89 e8 d5 5d d9 ff 49 8b 85 90 00 [15550.293613] RIP: xfs_bmap_extents_to_btree+0x3cb/0x940 RSP: ffff8801e0c4ea48 [15550.294987] CR2: 0000000000000168 [15550.295823] ---[ end trace cbec73dde6ad2852 ]--- - Reason https://elixir.bootlin.com/linux/latest/source/fs/xfs/libxfs/xfs_bmap.c#L754 abp can be NULL. - Patch See the attached patch. Found by Wen Xu from SSLab, Gatech.
Created attachment 276309 [details] poc.c
Created attachment 276311 [details] Proposed patch
Created attachment 276313 [details] kernel config (kasan enabled)
Is this still an issue?