lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAE5jQCddXGKTYV3WuCn7GUU2upvjhONVv2QojbHdp3ej200bTw@mail.gmail.com>
Date:   Sun, 14 Oct 2018 18:27:25 +0300
From:   Anatoly Trosinenko <anatoly.trosinenko@...il.com>
To:     Jan Kara <jack@...e.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Unlinking a file on a broken UDF image causes kernel BUG

When unlinking a file on a fuzzed UDF image, the kernel BUG is triggered.

How to reproduce (with kvm-xfstests):

1) Checkout udf/for_next (commit 3df77b04f)
2) Copy x86_64-config-4.14 to .config, execute `make olddefconfig`,
then enable UDF support and compile the kernel
3) Copy the attached reproducer to
/tmp/kvm-xfstests-$USER/dump_udf.img (1 Mb uncompressed)
4) Run `kvm-xfstests shell`
5) Inside the shell:

root@...-xfstests:~# mount /vtmp
root@...-xfstests:~# mount /vtmp/dump_udf.img /mnt
[   20.324420] UDF-fs: error (device loop0): udf_process_sequence:
Primary Volume Descriptor not found!
[   20.325825] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp
2018/06/27 18:03 (1000)
root@...-xfstests:~# unlink /mnt/foo
[   28.638288] ------------[ cut here ]------------
[   28.638906] kernel BUG at fs/udf/truncate.c:219!
[   28.639501] invalid opcode: 0000 [#1] SMP PTI
[   28.639946] CPU: 1 PID: 365 Comm: unlink Not tainted
4.19.0-rc2-xfstests-00028-g3df77b04f62 #1
[   28.640803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[   28.641772] RIP: 0010:udf_truncate_extents+0x2f3/0x300
[   28.642293] Code: 93 d0 fe ff ff 8d b2 d8 00 00 00 81 c2 b0 00 00
00 83 e1 08 0f 45 d6 29 d0 41 89 c6 e9 17 fe ff ff 0f 0b 0f 0b e8 6d
7d d3 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 53
48 89
[   28.644136] RSP: 0018:ffff9b29408d7d80 EFLAGS: 00010206
[   28.644664] RAX: 0000000000000004 RBX: ffff943c78e8d190 RCX: 0000000000000009
[   28.645376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff943c78e8d190
[   28.646087] RBP: ffff943c7b986000 R08: 00000009676e2d1c R09: 0000000000000001
[   28.646801] R10: 0000000000000001 R11: 0000000000000000 R12: ffff943c78e8d088
[   28.647512] R13: 0000000000000000 R14: 0000000000000002 R15: ffff943c78e8d190
[   28.648223] FS:  0000000000000000(0000) GS:ffff943c7dc00000(0063)
knlGS:00000000f7f4a800
[   28.649028] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   28.649603] CR2: 00000000f7e5ae20 CR3: 000000007822e002 CR4: 00000000003606e0
[   28.650337] Call Trace:
[   28.650589]  ? udf_setsize+0x281/0x3e0
[   28.650981]  udf_setsize+0x289/0x3e0
[   28.651349]  ? evict+0xba/0x1a0
[   28.651673]  udf_evict_inode+0x86/0xe0
[   28.652057]  evict+0xd0/0x1a0
[   28.652365]  do_unlinkat+0x1ad/0x310
[   28.652732]  do_fast_syscall_32+0x9d/0x2f0
[   28.653151]  entry_SYSENTER_compat+0x84/0x96
[   28.653603] ---[ end trace 7a5c71f2169e9e21 ]---
[   28.654073] RIP: 0010:udf_truncate_extents+0x2f3/0x300
[   28.654595] Code: 93 d0 fe ff ff 8d b2 d8 00 00 00 81 c2 b0 00 00
00 83 e1 08 0f 45 d6 29 d0 41 89 c6 e9 17 fe ff ff 0f 0b 0f 0b e8 6d
7d d3 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 53
48 89
[   28.656501] RSP: 0018:ffff9b29408d7d80 EFLAGS: 00010206
[   28.657038] RAX: 0000000000000004 RBX: ffff943c78e8d190 RCX: 0000000000000009
[   28.657734] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff943c78e8d190
[   28.658456] RBP: ffff943c7b986000 R08: 00000009676e2d1c R09: 0000000000000001
[   28.659172] R10: 0000000000000001 R11: 0000000000000000 R12: ffff943c78e8d088
[   28.659895] R13: 0000000000000000 R14: 0000000000000002 R15: ffff943c78e8d190
[   28.660614] FS:  0000000000000000(0000) GS:ffff943c7dc00000(0063)
knlGS:00000000f7f4a800
[   28.661425] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   28.662006] CR2: 00000000f7e5ae20 CR3: 000000007822e002 CR4: 00000000003606e0
Segmentation fault
root@...-xfstests:~#

Best regards
Anatoly

Download attachment "dump_udf.img.bz2" of type "application/octet-stream" (1220 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ