| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Jun 2018 18:52:19 +0300
From: Anatoly Trosinenko <anatoly.trosinenko@...il.com>
To: linux-kernel@...r.kernel.org
Cc: linux-fsdevel@...r.kernel.org,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
"Ernesto A. Fernandez" <ernesto.mnd.fernandez@...il.com>
Subject: Mounting corrupted HFS+ causes kernel NULL pointer dereference
How to reproduce:
1. Take kernel source v4.17-rc7
2. Compile it with the config attached
3. Unpack and mount the attached FS image as hfsplus.
What happens:
[ 1.894686] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000068
[ 1.895133] PGD 5c1c067 P4D 5c1c067 PUD 5c1d067 PMD 0
[ 1.895365] Oops: 0000 [#1] SMP NOPTI
[ 1.895527] Modules linked in:
[ 1.895761] CPU: 0 PID: 989 Comm: exe Not tainted 4.17.0-rc7+ #1
[ 1.895850] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1.896329] RIP: 0010:mount_fs+0x3e/0x150
[ 1.896395] RSP: 0018:ffffa122c08e7e00 EFLAGS: 00000207
[ 1.896485] RAX: 0000000000000000 RBX: ffff885446f58c00 RCX: 0000000000000000
[ 1.896578] RDX: 00000000000001e3 RSI: ffff8854478239a0 RDI: ffff885446c01600
[ 1.896670] RBP: 0000000000000000 R08: 00000000000239a0 R09: ffffffffb829da17
[ 1.896762] R10: ffffcb798018f400 R11: 0000000000000000 R12: ffffffffb94725c0
[ 1.896854] R13: 0000000000000000 R14: 0000000000008000 R15: 0000000000000000
[ 1.896988] FS: 00000000015328c0(0000) GS:ffff885447800000(0000)
knlGS:0000000000000000
[ 1.897113] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.897198] CR2: 0000000000000068 CR3: 0000000005c22000 CR4: 00000000000006f0
[ 1.897358] Call Trace:
[ 1.897930] vfs_kern_mount.part.28+0x4f/0xf0
[ 1.898032] do_mount+0x5d0/0xc60
[ 1.898096] ? _copy_from_user+0x37/0x60
[ 1.898159] ? memdup_user+0x39/0x60
[ 1.898213] ksys_mount+0x7b/0xd0
[ 1.898266] __x64_sys_mount+0x1c/0x20
[ 1.898329] do_syscall_64+0x43/0xf0
[ 1.898387] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1.898577] RIP: 0033:0x48d31a
[ 1.898623] RSP: 002b:00007ffe78f3f168 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 1.898724] RAX: ffffffffffffffda RBX: 0000000000008000 RCX: 000000000048d31a
[ 1.898811] RDX: 00007ffe78f40f9e RSI: 00007ffe78f40f96 RDI: 00007ffe78f40f8d
[ 1.898896] RBP: 00000000015328a0 R08: 0000000000000000 R09: 0000000000000000
[ 1.898979] R10: 0000000000008000 R11: 0000000000000246 R12: 0000000000000000
[ 1.899072] R13: 0000000000000000 R14: 00007ffe78f3f3d8 R15: 0000000000000000
[ 1.899195] Code: 48 83 ec 10 48 85 c9 0f 85 a7 00 00 00 49 8b 44
24 10 44 89 f6 4c 89 e7 e8 10 51 c5 00 48 3d 00 f0 ff ff 48 89 c5 41
89 c7 77 7a <48> 8b 58 68 48 85 db 0f 84 f1 00 00 00 48 83 bb d8 00 00
00 00
[ 1.899721] RIP: mount_fs+0x3e/0x150 RSP: ffffa122c08e7e00
[ 1.899811] CR2: 0000000000000068
[ 1.900556] ---[ end trace d7a6559d7381eeda ]---
[ 1.901562] exe (989) used greatest stack depth: 12872 bytes left
( Full kernel log is attached. )
PS: Since HFS+ driver is not very maintained, I included into the CC
list two most recent committers to fs/hfsplus/*. Please excuse me for
disturbance.
Thanks,
Anatoly
View attachment "serial-log.txt" of type "text/plain" (21780 bytes)
Download attachment "config_v4.17-rc7" of type "application/octet-stream" (113927 bytes)
Download attachment "hfsplus_128mb.img.bz2" of type "application/octet-stream" (582 bytes)
Powered by blists - more mailing lists