200925 – null pointer dereference in xfs_dir_isempty()

Bug 200925 - null pointer dereference in xfs_dir_isempty()

Summary: null pointer dereference in xfs_dir_isempty()

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	XFS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Eric Sandeen

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-24 13:35 UTC by Wen Xu
Modified:	2018-08-26 20:31 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
poc.c (1.71 KB, text/x-csrc) 2018-08-24 13:35 UTC, Wen Xu	Details
The (compressed) crafted image which causes crash (39.29 KB, application/zip) 2018-08-24 13:36 UTC, Wen Xu	Details
kernel log (71.30 KB, text/plain) 2018-08-24 13:36 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-08-24 13:35:47 UTC

Created attachment 278069 [details]
poc.c

- Reproduce
# mkdir mnt
# mount -t xfs 79.img mnt
# gcc 79.c
# ./a.out ./mnt

- Kernel message
Check attachment: 79.log

- Reason
https://elixir.bootlin.com/linux/latest/source/fs/xfs/libxfs/xfs_dir2.c#L185
	sfp = (xfs_dir2_sf_hdr_t *)dp->i_df.if_u1.if_data;
	return !sfp->count;
Missing checks on sfp.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab.

Comment 1 Wen Xu 2018-08-24 13:36:00 UTC

Created attachment 278071 [details]
The (compressed) crafted image which causes crash

Comment 2 Wen Xu 2018-08-24 13:36:13 UTC

Created attachment 278073 [details]
kernel log

Comment 3 Eric Sandeen 2018-08-26 20:31:43 UTC

[PATCH] xfs: verify size-vs-format for symlinks & dirs

Note You need to log in before you can comment on or make changes to this bug.