lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAE5jQCfP1Z0oTBz_V0QkFwFqtJgekUMD2HZR=qA2oWxPvZrzsQ@mail.gmail.com>
Date:   Sun, 3 Jun 2018 18:52:19 +0300
From:   Anatoly Trosinenko <anatoly.trosinenko@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     linux-fsdevel@...r.kernel.org,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        "Ernesto A. Fernandez" <ernesto.mnd.fernandez@...il.com>
Subject: Mounting corrupted HFS+ causes kernel NULL pointer dereference

How to reproduce:
1. Take kernel source v4.17-rc7
2. Compile it with the config attached
3. Unpack and mount the attached FS image as hfsplus.

What happens:
[    1.894686] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000068
[    1.895133] PGD 5c1c067 P4D 5c1c067 PUD 5c1d067 PMD 0
[    1.895365] Oops: 0000 [#1] SMP NOPTI
[    1.895527] Modules linked in:
[    1.895761] CPU: 0 PID: 989 Comm: exe Not tainted 4.17.0-rc7+ #1
[    1.895850] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[    1.896329] RIP: 0010:mount_fs+0x3e/0x150
[    1.896395] RSP: 0018:ffffa122c08e7e00 EFLAGS: 00000207
[    1.896485] RAX: 0000000000000000 RBX: ffff885446f58c00 RCX: 0000000000000000
[    1.896578] RDX: 00000000000001e3 RSI: ffff8854478239a0 RDI: ffff885446c01600
[    1.896670] RBP: 0000000000000000 R08: 00000000000239a0 R09: ffffffffb829da17
[    1.896762] R10: ffffcb798018f400 R11: 0000000000000000 R12: ffffffffb94725c0
[    1.896854] R13: 0000000000000000 R14: 0000000000008000 R15: 0000000000000000
[    1.896988] FS:  00000000015328c0(0000) GS:ffff885447800000(0000)
knlGS:0000000000000000
[    1.897113] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.897198] CR2: 0000000000000068 CR3: 0000000005c22000 CR4: 00000000000006f0
[    1.897358] Call Trace:
[    1.897930]  vfs_kern_mount.part.28+0x4f/0xf0
[    1.898032]  do_mount+0x5d0/0xc60
[    1.898096]  ? _copy_from_user+0x37/0x60
[    1.898159]  ? memdup_user+0x39/0x60
[    1.898213]  ksys_mount+0x7b/0xd0
[    1.898266]  __x64_sys_mount+0x1c/0x20
[    1.898329]  do_syscall_64+0x43/0xf0
[    1.898387]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[    1.898577] RIP: 0033:0x48d31a
[    1.898623] RSP: 002b:00007ffe78f3f168 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[    1.898724] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
[    1.898811] RDX: 00007ffe78f40f9e RSI: 00007ffe78f40f96 RDI: 00007ffe78f40f8d
[    1.898896] RBP: 00000000015328a0 R08: 0000000000000000 R09: 0000000000000000
[    1.898979] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
[    1.899072] R13: 0000000000000000 R14: 00007ffe78f3f3d8 R15: 0000000000000000
[    1.899195] Code: 48 83 ec 10 48 85 c9 0f 85 a7 00 00 00 49 8b 44
24 10 44 89 f6 4c 89 e7 e8 10 51 c5 00 48 3d 00 f0 ff ff 48 89 c5 41
89 c7 77 7a <48> 8b 58 68 48 85 db 0f 84 f1 00 00 00 48 83 bb d8 00 00
00 00
[    1.899721] RIP: mount_fs+0x3e/0x150 RSP: ffffa122c08e7e00
[    1.899811] CR2: 0000000000000068
[    1.900556] ---[ end trace d7a6559d7381eeda ]---
[    1.901562] exe (989) used greatest stack depth: 12872 bytes left

( Full kernel log is attached. )

PS: Since HFS+ driver is not very maintained, I included into the CC
list two most recent committers to fs/hfsplus/*. Please excuse me for
disturbance.

Thanks,
Anatoly

View attachment "serial-log.txt" of type "text/plain" (21780 bytes)

Download attachment "config_v4.17-rc7" of type "application/octet-stream" (113927 bytes)

Download attachment "hfsplus_128mb.img.bz2" of type "application/octet-stream" (582 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ