[Patch] Fix another bug in hfsplus when reading a corrupted image

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Sesterhenn <snakebyte@gmx.de>
To: zippel@linux-m68k.org, linux-kernel@vger.kernel.org
Subject: [Patch] Fix another bug in hfsplus when reading a corrupted image
Date: Tue, 26 Aug 2008 14:59:09 +0200	[thread overview]
Message-ID: <20080826125909.GA21266@alice> (raw)

hi,

another bug that popped up when testing hfsplus with corrupted images.

[  144.632017] BUG: unable to handle kernel NULL pointer dereference at 00000034
[  144.633047] IP: [<c0230c55>] hfsplus_find_init+0x24/0x5a
[  144.633047] *pde = 00000000
[  144.633047] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[  144.633047] Modules linked in:
[  144.633047]
[  144.633047] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00131-g83097ac-dirty #32)
[  144.633047] EIP: 0060:[<c0230c55>] EFLAGS: 00010202 CPU: 0
[  144.633047] EIP is at hfsplus_find_init+0x24/0x5a
[  144.633047] EAX: 0000001d EBX: c6eaca84 ECX: c011bf0c EDX: 000000d0
[  144.633047] ESI: 00000000 EDI: c6eb810c EBP: c6eaca74 ESP: c6eaca60
[  144.633047]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  144.633047] Process mount (pid: 4845, ti=c6eac000 task=c6e80000 task.ti=c6eac000)
[  144.633047] Stack: c0801a93 00000000 c6eaca84 c6eaca84 c6eb8000 c6eacab4 c022c900 00000000
[  144.633047]        c022ce68 00000000 c6eb8004 00000000 00000000 22222222 22222222 22222222
[  144.633047]        22222222 22222222 00000000 c1098a40 c6eb8000 c6eacae0 c022ce72 c6eb82ac
[  144.633047] Call Trace:
[  144.633047]  [<c022c900>] ? hfsplus_ext_read_extent+0x47/0x12a
[  144.633047]  [<c022ce68>] ? hfsplus_get_block+0xb3/0x19d
[  144.633047]  [<c022ce72>] ? hfsplus_get_block+0xbd/0x19d
[  144.633047]  [<c01a042d>] ? block_read_full_page+0x172/0x2b4
[  144.633047]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
[  144.633047]  [<c0161899>] ? add_to_page_cache_locked+0xa9/0xc4
[  144.633047]  [<c0168922>] ? lru_cache_add+0x53/0x69
[  144.633047]  [<c022b737>] ? hfsplus_readpage+0xf/0x11
[  144.633047]  [<c0161ad5>] ? read_cache_page_async+0x79/0x108
[  144.633047]  [<c022b728>] ? hfsplus_readpage+0x0/0x11
[  144.633048]  [<c0162d59>] ? read_cache_page+0xc/0x3f
[  144.633048]  [<c022e85b>] ? hfsplus_btree_open+0x104/0x267
[  144.633048]  [<c022b04a>] ? hfsplus_fill_super+0x211/0x447
[  144.633048]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c06aa5c6>] ? mutex_unlock+0x8/0xa
[  144.633048]  [<c01a28da>] ? do_open+0x20b/0x280
[  144.633048]  [<c01a29cc>] ? __blkdev_get+0x7d/0x88
[  144.633048]  [<c041c9c4>] ? string+0x2b/0x74
[  144.633048]  [<c041ccf6>] ? vsnprintf+0x2e9/0x512
[  144.633048]  [<c010487a>] ? dump_trace+0xca/0xd6
[  144.633048]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  144.633048]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  144.633048]  [<c013b571>] ? save_trace+0x37/0x8d
[  144.633048]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  144.633048]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  144.633048]  [<c01354d3>] ? up+0xc/0x2f
[  144.633048]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  144.633048]  [<c041cf97>] ? snprintf+0x1b/0x1d
[  144.633048]  [<c01ba466>] ? disk_name+0x25/0x67
[  144.633048]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[  144.633048]  [<c016ad92>] ? kstrdup+0x2a/0x4c
[  144.633048]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[  144.633048]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[  144.633048]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[  144.633048]  [<c0183602>] ? do_kern_mount+0x32/0xba
[  144.633048]  [<c01960d4>] ? do_new_mount+0x46/0x74
[  144.633048]  [<c0196277>] ? do_mount+0x175/0x193
[  144.633048]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  144.633048]  [<c01663b2>] ? __get_free_pages+0x1e/0x24
[  144.633048]  [<c06ac09b>] ? lock_kernel+0x19/0x8c
[  144.633048]  [<c01962e6>] ? sys_mount+0x51/0x9b
[  144.633048]  [<c01962f9>] ? sys_mount+0x64/0x9b
[  144.633048]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[  144.633048]  =======================
[  144.633048] Code: 00 00 00 00 5b 5d c3 55 89 e5 56 89 c6 53 89 d3 52 50 68 93 1a 80 c0 e8 f2 24 ef ff
ba d0 00 00 00 89 73 08 c7 43 0c 00 00 00 00 <8b> 46 34 8d 44 00 04 e8 f9 e0 f4 ff ba f4 ff ff ff 83 c4 0
c 85
[  144.633048] EIP: [<c0230c55>] hfsplus_find_init+0x24/0x5a SS:ESP 0068:c6eaca60
[  144.659114] ---[ end trace 3e5c566484eaaae5 ]---


Problem is that there is no ext_tree, causing the NULL-pointer
dereference in hfsplus_init(). This fixes the issue by checking the ext_tree in
hfsplus_get_block() and aborting early enoug.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>


--- linux/fs/hfsplus/extents.orig	2008-08-26 14:51:08.000000000 +0200
+++ linux/fs/hfsplus/extents.c	2008-08-26 14:51:48.000000000 +0200
@@ -199,6 +199,9 @@ int hfsplus_get_block(struct inode *inod
 		goto done;
 	}
 
+	if (HFSPLUS_SB(inode->i_sb).ext_tree == NULL)
+		return -EIO;
+
 	mutex_lock(&HFSPLUS_I(inode).extents_lock);
 	res = hfsplus_ext_read_extent(inode, ablock);
 	if (!res) {

next             reply	other threads:[~2008-08-26 12:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-26 12:59 Eric Sesterhenn [this message]
2008-08-29  2:21 ` [Patch] Fix another bug in hfsplus when reading a corrupted image Roman Zippel
2008-09-03 17:14   ` Eric Sesterhenn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080826125909.GA21266@alice \
    --to=snakebyte@gmx.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=zippel@linux-m68k.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.