[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87h7t5454n.fsf@suse.com>
Date: Fri, 14 Aug 2020 17:30:16 +0200
From: Aurélien Aptel <aaptel@...e.com>
To: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
"viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH] fs: NTFS read-write driver GPL implementation by
Paragon Software.
I've tried this using libntfs-3g mkfs.ntfs
# mkfs.ntfs /dev/vb1
# mount -t ntfs3 /dev/vb1 /mnt
This already triggered UBSAN:
================================================================================
UBSAN: object-size-mismatch in fs/ntfs3/super.c:834:16
load of address 000000006ae096b5 with insufficient space
for an object of type 'const char'
CPU: 3 PID: 1248 Comm: mount Not tainted 5.8.0+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
Call Trace:
dump_stack+0x78/0xa0
ubsan_epilogue+0x5/0x40
ubsan_type_mismatch_common.cold+0xc8/0xcd
__ubsan_handle_type_mismatch_v1+0x32/0x37
ntfs_fill_super+0x9f/0x13e0
? vsnprintf+0x1ef/0x4f0
mount_bdev+0x193/0x1c0
Which points to:
sb->s_magic = *(unsigned long *)s_magic; /* TODO */
Maybe store ('n'<<32)|('t'<<24)|('f'<<16)|('s'<<8) ?
Seems harmless.
* * *
Then I've tried to copy /etc into it:
# cp -rp /etc /mnt
But this triggered a NULL ptr deref:
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 PID: 1255 Comm: cp Not tainted 5.8.0+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
RIP: 0010:ntfs_insert_security+0x187/0x4a0
Code: 00 48 83 c4 18 85 c0 0f 85 54 01 00 00 48 8b 44 24 50 49 8d b5 d8 01 00 00 8b 54 24 60 83 c3 14 48 89 74 24 30 48 85 c0 74 3a <39> 58 28 0f 84 7e 01 00 00 49 89 e8 48 8d 4c 24 50 4c 89 f2 4c 89
RSP: 0018:ffffac73403dfc58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 0000000000000010
RDX: 00000000000000b0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff94154ed5fe00 R08: 0000000000000000 R09: 0000000000000001
R10: ffff9415781a6180 R11: 0000000000000003 R12: ffff94155c989800
R13: ffff94151e8d2a38 R14: ffff9415781a6170 R15: ffff9415781173f0
FS: 00007fd19b86e580(0000) GS:ffff94157dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000001ac2a000 CR4: 0000000000350ef0
Call Trace:
? mark_held_locks+0x49/0x70
? lockdep_hardirqs_on_prepare+0xf7/0x190
? ktime_get_coarse_real_ts64+0x9e/0xd0
? trace_hardirqs_on+0x1c/0xe0
ntfs_create_inode+0x2db/0x11c0
ntfs_mkdir+0x58/0x90
vfs_mkdir+0x109/0x1f0
do_mkdirat+0x81/0x120
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fd19ad54dd7
Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 b9 70 2c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 70 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffec3c41588 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fd19ad54dd7
RDX: 00000000000c0001 RSI: 00000000000001c0 RDI: 000055cad585fcf0
RBP: 00007ffec3c41990 R08: 00007ffec3c41b50 R09: 00007fd19ada55c0
R10: 00000000000001ef R11: 0000000000000206 R12: 00007ffec3c41b50
R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffec3c437be
(gdb) list *(ntfs_insert_security+0x187)
0xffffffff814e5097 is in ntfs_insert_security (fs/ntfs3/fsntfs.c:1811).
1806
1807 if (!e)
1808 goto insert_security;
1809
1810 next_security:
1811 if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
1812 goto skip_read_sds;
1813
1814 err = ntfs_read_run_nb(sbi, &ni->file.run, le64_to_cpu(e->sec_hdr.off),
1815 d_security, new_sec_size, NULL);
(gdb) disas /s ntfs_insert_security
....
1811 if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
0xffffffff814e5097 <+391>: cmp %ebx,0x28(%rax) <=====
0xffffffff814e509a <+394>: je 0xffffffff814e521e <ntfs_insert_security+782>
(gdb) p/x (int)&((NTFS_DE_SDH*)0)->sec_hdr.size
$4 = 0x28
So I think 'e' is NULL. Not sure how it can happen.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
Powered by blists - more mailing lists