200355 – Bad function pointer invoking (lookup) when mounting a reiserfs filesystem

Bug 200355 - Bad function pointer invoking (lookup) when mounting a reiserfs filesystem

Summary: Bad function pointer invoking (lookup) when mounting a reiserfs filesystem

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ReiserFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	ReiseFS developers team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-28 20:58 UTC by Wen Xu
Modified:	2018-06-28 20:58 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (65.64 KB, application/zip) 2018-06-28 20:58 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-28 20:58:03 UTC

Created attachment 277009 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 17.img mnt

- Kernel message
[  220.327982] REISERFS (device loop0): found reiserfs format "3.6" with standard journal
[  220.328879] REISERFS (device loop0): using ordered data mode
[  220.328886] reiserfs: using flush barriers
[  220.329795] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
[  220.330920] REISERFS (device loop0): checking transaction log (loop0)
[  221.226796] REISERFS (device loop0): Using r5 hash to sort names
[  221.226945] init_special_inode: bogus i_mode (0) for inode loop0:3
[  221.227056] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[  221.228743] PGD 80000001e3580067 P4D 80000001e3580067 PUD 1e3581067 PMD 0 
[  221.230137] Oops: 0010 [#1] SMP KASAN PTI
[  221.230970] CPU: 0 PID: 1355 Comm: mount Not tainted 4.18.0-rc1+ #8
[  221.232221] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  221.234099] RIP: 0010:          (null)
[  221.234852] Code: Bad RIP value.
[  221.235529] RSP: 0018:ffff8801f0dcf850 EFLAGS: 00010246
[  221.236598] RAX: 0000000000000000 RBX: ffff8801d0ae40b0 RCX: ffffffffa53f316c
[  221.238013] RDX: 0000000000000000 RSI: ffff8801eae81f00 RDI: ffff8801d0ae40b0
[  221.239429] RBP: ffff8801f0dcf900 R08: 0000000000000000 R09: ffffed003d5d03cc
[  221.240851] R10: 0000000000000001 R11: ffffed003d5d03cb R12: 1ffff1003e1b9f0f
[  221.242263] R13: ffffffffa693aa80 R14: 0000000000000000 R15: ffff8801eae81f00
[  221.243675] FS:  00007fd9c795b840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  221.245284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  221.246426] CR2: ffffffffffffffd6 CR3: 00000001f14f8000 CR4: 00000000000006f0
[  221.247854] Call Trace:
[  221.248437]  ? __lookup_slow+0x12e/0x240
[  221.249247]  ? may_delete+0x2b0/0x2b0
[  221.249994]  ? d_lookup+0x2a/0x50
[  221.250670]  lookup_one_len+0x126/0x140
[  221.251450]  ? lookup_one_len_unlocked+0xd0/0xd0
[  221.252378]  ? lookup_one_len_unlocked+0xd0/0xd0
[  221.253351]  reiserfs_xattr_init+0x30d/0x390
[  221.254243]  ? up_write+0x16/0x40
[  221.254927]  reiserfs_fill_super+0x1358/0x1550
[  221.255830]  ? finish_unfinished+0x940/0x940
[  221.256740]  ? netdev_bits+0x50/0x50
[  221.257485]  ? __asan_loadN+0xf/0x20
[  221.258215]  ? format_decode+0x2af/0x4a0
[  221.259010]  ? vsnprintf+0x55f/0x980
[  221.259734]  ? pointer+0x520/0x520
[  221.260424]  ? up_write+0x16/0x40
[  221.261112]  ? vsprintf+0x20/0x20
[  221.261799]  ? set_blocksize+0x90/0x140
[  221.262592]  mount_bdev+0x1c5/0x210
[  221.263308]  ? finish_unfinished+0x940/0x940
[  221.264174]  get_super_block+0x15/0x20
[  221.264951]  mount_fs+0x60/0x1a0
[  221.265624]  ? alloc_vfsmnt+0x309/0x360
[  221.266411]  vfs_kern_mount+0x6b/0x1a0
[  221.267179]  do_mount+0x34a/0x18c0
[  221.267899]  ? lockref_put_or_lock+0xcf/0x160
[  221.268795]  ? copy_mount_string+0x20/0x20
[  221.269625]  ? kasan_kmalloc+0xad/0xe0
[  221.270388]  ? kmem_cache_alloc_trace+0x102/0x200
[  221.271337]  ? copy_mount_options+0x4b/0x190
[  221.272202]  ? copy_mount_options+0xd5/0x190
[  221.273076]  ksys_mount+0x83/0xd0
[  221.273758]  __x64_sys_mount+0x67/0x80
[  221.274536]  do_syscall_64+0x78/0x170
[  221.275299]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  221.276333] RIP: 0033:0x7fd9c723bb9a
[  221.277070] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 
[  221.280828] RSP: 002b:00007ffe8811a7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  221.282331] RAX: ffffffffffffffda RBX: 0000000000a96030 RCX: 00007fd9c723bb9a
[  221.283747] RDX: 0000000000a96210 RSI: 0000000000a97f50 RDI: 0000000000a9eee0
[  221.285172] RBP: 0000000000000000 R08: 0000000000a96230 R09: 0000000000000017
[  221.286585] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000000a9eee0
[  221.287993] R13: 0000000000a96210 R14: 0000000000000000 R15: 0000000000000005
[  221.289426] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  221.305309] CR2: 0000000000000000
[  221.306217] ---[ end trace 2e85051acb5f6dc1 ]---
[  221.307178] RIP: 0010:          (null)
[  221.307948] Code: Bad RIP value.
[  221.308668] RSP: 0018:ffff8801f0dcf850 EFLAGS: 00010246
[  221.309738] RAX: 0000000000000000 RBX: ffff8801d0ae40b0 RCX: ffffffffa53f316c
[  221.311161] RDX: 0000000000000000 RSI: ffff8801eae81f00 RDI: ffff8801d0ae40b0
[  221.312632] RBP: ffff8801f0dcf900 R08: 0000000000000000 R09: ffffed003d5d03cc
[  221.314061] R10: 0000000000000001 R11: ffffed003d5d03cb R12: 1ffff1003e1b9f0f
[  221.315501] R13: ffffffffa693aa80 R14: 0000000000000000 R15: ffff8801eae81f00
[  221.316980] FS:  00007fd9c795b840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  221.318610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  221.319765] CR2: ffffffffffffffd6 CR3: 00000001f14f8000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/namei.c#L1630
		old = inode->i_op->lookup(inode, dentry, flags);
		d_lookup_done(dentry);
		if (unlikely(old)) {
i_op->lookup seems not properly initialized

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.