200299 – Kernel panic because mount() hfsplus image does not always return correct value

Bug 200299 - Kernel panic because mount() hfsplus image does not always return correct value

Summary: Kernel panic because mount() hfsplus image does not always return correct value

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	HFS/HFSPLUS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_hfs@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 04:05 UTC by Wen Xu
Modified:	2018-06-27 04:05 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream) 2018-06-27 04:05 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 04:05:40 UTC

Created attachment 276901 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t hfsplus 38.img mnt

- Kernel message
[  135.759739] ==================================================================
[  135.765254] BUG: KASAN: null-ptr-deref in mount_fs+0x78/0x1a0
[  135.766424] Read of size 8 at addr 0000000000000068 by task mount/1401

[  135.768106] CPU: 1 PID: 1401 Comm: mount Not tainted 4.18.0-rc1+ #6
[  135.768110] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  135.768116] Call Trace:
[  135.768154]  dump_stack+0x7b/0xb5
[  135.768169]  kasan_report+0x10c/0x390
[  135.768174]  ? mount_fs+0x78/0x1a0
[  135.768191]  __asan_load8+0x54/0x90
[  135.768195]  mount_fs+0x78/0x1a0
[  135.768207]  ? alloc_vfsmnt+0x309/0x360
[  135.768213]  vfs_kern_mount+0x6b/0x1a0
[  135.768218]  do_mount+0x34a/0x18c0
[  135.768244]  ? lockref_put_or_lock+0xcf/0x160
[  135.768251]  ? copy_mount_string+0x20/0x20
[  135.768262]  ? memcg_kmem_put_cache+0x1b/0xa0
[  135.768268]  ? kasan_check_write+0x14/0x20
[  135.768278]  ? _copy_from_user+0x6a/0x90
[  135.768295]  ? memdup_user+0x42/0x60
[  135.768300]  ksys_mount+0x83/0xd0
[  135.768306]  __x64_sys_mount+0x67/0x80
[  135.768330]  do_syscall_64+0x78/0x170
[  135.768347]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  135.768363] RIP: 0033:0x7fe65a36bb9a
[  135.768364] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[  135.768427] RSP: 002b:00007ffcfb9849e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  135.768437] RAX: ffffffffffffffda RBX: 000000000081e030 RCX: 00007fe65a36bb9a
[  135.768440] RDX: 000000000081e210 RSI: 000000000081ff30 RDI: 0000000000826ec0
[  135.768442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
[  135.768445] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000000826ec0
[  135.768447] R13: 000000000081e210 R14: 0000000000000000 R15: 0000000000000003
[  135.768455] ==================================================================
[  135.769932] Disabling lock debugging due to kernel taint
[  135.770929] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
[  135.772552] PGD 80000001f20ec067 P4D 80000001f20ec067 PUD 1f20ed067 PMD 0
[  135.773946] Oops: 0000 [#1] SMP KASAN PTI
[  135.774769] CPU: 1 PID: 1401 Comm: mount Tainted: G    B             4.18.0-rc1+ #6
[  135.776409] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  135.778307] RIP: 0010:mount_fs+0x78/0x1a0
[  135.779126] Code: 49 8b 45 10 48 89 d9 44 89 fe 4c 89 ef e8 d0 e7 21 01 48 3d 00 f0 ff ff 49 89 c4 0f 87 a5 00 00 00 48 8d 78 68 e8 88 8f fb ff <49> 8b 5c 24 68 48 85 db 0f 84 dd 00 00 00 48 8d bb d8 00 00 00 e8
[  135.782930] RSP: 0018:ffff8801e4c7fce0 EFLAGS: 00010296
[  135.783984] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  135.785419] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
[  135.786844] RBP: ffff8801e4c7fd10 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  135.788277] R10: 0000000000000001 R11: ffffed003ede3eba R12: 0000000000000000
[  135.789699] R13: ffffffffaf24af00 R14: 0000000000000000 R15: 0000000000000000
[  135.791121] FS:  00007fe65aa8b840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  135.792748] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  135.793907] CR2: 00007fd86c01e0e8 CR3: 00000001effa8000 CR4: 00000000000006e0
[  135.795347] Call Trace:
[  135.795866]  ? alloc_vfsmnt+0x309/0x360
[  135.796664]  vfs_kern_mount+0x6b/0x1a0
[  135.797438]  do_mount+0x34a/0x18c0
[  135.798143]  ? lockref_put_or_lock+0xcf/0x160
[  135.799038]  ? copy_mount_string+0x20/0x20
[  135.799880]  ? memcg_kmem_put_cache+0x1b/0xa0
[  135.800790]  ? kasan_check_write+0x14/0x20
[  135.801632]  ? _copy_from_user+0x6a/0x90
[  135.802444]  ? memdup_user+0x42/0x60
[  135.803185]  ksys_mount+0x83/0xd0
[  135.803873]  __x64_sys_mount+0x67/0x80
[  135.804660]  do_syscall_64+0x78/0x170
[  135.805419]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  135.806446] RIP: 0033:0x7fe65a36bb9a
[  135.807182] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[  135.811006] RSP: 002b:00007ffcfb9849e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  135.812542] RAX: ffffffffffffffda RBX: 000000000081e030 RCX: 00007fe65a36bb9a
[  135.813977] RDX: 000000000081e210 RSI: 000000000081ff30 RDI: 0000000000826ec0
[  135.815412] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016
[  135.816858] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000000826ec0
[  135.818293] R13: 000000000081e210 R14: 0000000000000000 R15: 0000000000000003
[  135.819739] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  135.829487] CR2: 0000000000000068
[  135.830248] ---[ end trace 7f5a46c7478f1295 ]---
[  135.831211] RIP: 0010:mount_fs+0x78/0x1a0
[  135.832075] Code: 49 8b 45 10 48 89 d9 44 89 fe 4c 89 ef e8 d0 e7 21 01 48 3d 00 f0 ff ff 49 89 c4 0f 87 a5 00 00 00 48 8d 78 68 e8 88 8f fb ff <49> 8b 5c 24 68 48 85 db 0f 84 dd 00 00 00 48 8d bb d8 00 00 00 e8
[  135.835984] RSP: 0018:ffff8801e4c7fce0 EFLAGS: 00010296
[  135.837101] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  135.838548] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
[  135.839989] RBP: ffff8801e4c7fd10 R08: ffffed003ede3ebb R09: ffffed003ede3ebb
[  135.841603] R10: 0000000000000001 R11: ffffed003ede3eba R12: 0000000000000000
[  135.843048] R13: ffffffffaf24af00 R14: 0000000000000000 R15: 0000000000000000
[  135.844528] FS:  00007fe65aa8b840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  135.846167] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  135.847334] CR2: 00007fd86c01e0e8 CR3: 00000001effa8000 CR4: 00000000000006e0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/super.c#L1282
in mount_fs(),
	root = type->mount(type, flags, name, data);
	if (IS_ERR(root)) {
		error = PTR_ERR(root);
		goto out_free_secdata;
	}
	sb = root->d_sb;
The kernel panics because of NULL value of root

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.