From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: LKML <linux-kernel@vger.kernel.org>
From: Vegard Nossum <vegard.nossum@oracle.com>
Subject: BUG: NULL ptr deref at 0000000000000040 (hfs_find_init+0x1a/0x60)
Message-ID: <565E049A.5000709@oracle.com>
Date: Tue, 1 Dec 2015 21:35:38 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------090406090309050106020802"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

This is a multi-part message in MIME format.
--------------090406090309050106020802
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Mounting the attached hfs image (fuzzed) on the latest linus/master
gives me the following NULL pointer dereference:

# mount -o loop -t hfs hfs.0 /mnt/
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
PGD 148b4067 PUD 148b3067 PMD 0
Oops: 0000 [#1] SMP KASAN
CPU: 2 PID: 981 Comm: mount Not tainted 4.4.0-rc3+ #245
task: ffff880015b25400 ti: ffff880014820000 task.ti: ffff880014820000
RIP: 0010:[<ffffffff8126c6fa>]  [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
RSP: 0018:ffff8800148279c8  EFLAGS: 00010246
RAX: ffff88001625fc90 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8800148279f0 RDI: 0000000000000000
RBP: ffff8800148279d8 R08: 0000000000000000 R09: ffff880014eb3650
R10: ffffea00005c9300 R11: 0000000000000000 R12: ffff8800148279f0
R13: ffff880015461b90 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fec8d137880(0000) GS:ffff880017000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000015806000 CR4: 00000000001406a0
Stack:
  ffff8800148100b0 0000000000000000 ffff880014827a38 ffffffff81270331
  0000000000000000 ffff880014827a08 ffffffff8118c07c 0000000000000000
  0000000000000000 ffff8800168e4e00 ffffea00005c9300 ffffed00029d66d7
Call Trace:
  [<ffffffff81270331>] hfs_ext_read_extent+0x41/0x170
  [<ffffffff8118c07c>] ? alloc_buffer_head+0x1c/0x60
  [<ffffffff81270a36>] hfs_get_block+0x146/0x1a0
  [<ffffffff8118cce3>] block_read_full_page+0x123/0x330
  [<ffffffff812708f0>] ? hfs_extend_file+0x200/0x200
  [<ffffffff81105886>] ? __add_to_page_cache_locked+0x126/0x1c0
  [<ffffffff81270e10>] ? hfs_bmap+0x20/0x20
  [<ffffffff81270e23>] hfs_readpage+0x13/0x20
  [<ffffffff81107298>] do_read_cache_page+0x78/0x190
  [<ffffffff81270460>] ? hfs_ext_read_extent+0x170/0x170
  [<ffffffff81107f34>] read_cache_page+0x14/0x20
  [<ffffffff8126e8e5>] hfs_btree_open+0x125/0x2f0
  [<ffffffff81272bf5>] hfs_mdb_get+0x3b5/0x650
  [<ffffffff8147181b>] ? string.isra.2+0x3b/0xd0
  [<ffffffff812701c7>] ? hfs_free_extents+0x37/0xc0
  [<ffffffff8127354e>] hfs_fill_super+0x1be/0x670
  [<ffffffff81473619>] ? snprintf+0x39/0x40
  [<ffffffff81116f25>] ? register_shrinker+0x75/0x90
  [<ffffffff8115deb5>] mount_bdev+0x185/0x1c0
  [<ffffffff81273390>] ? hfs_remount+0x80/0x80
  [<ffffffff81273230>] hfs_mount+0x10/0x20
  [<ffffffff8115e0e4>] mount_fs+0x34/0x160
  [<ffffffff811240b0>] ? __alloc_percpu+0x10/0x20
  [<ffffffff81178a22>] vfs_kern_mount+0x62/0x110
  [<ffffffff81179e6b>] do_mount+0x21b/0xdd0
  [<ffffffff81153a5d>] ? kasan_slab_alloc+0xd/0x10
  [<ffffffff81153472>] ? __kmalloc_track_caller+0xc2/0x180
  [<ffffffff8111f61c>] ? strndup_user+0x3c/0x50
  [<ffffffff8111f5ad>] ? memdup_user+0x3d/0x70
  [<ffffffff8117ad06>] SyS_mount+0x86/0xd0
  [<ffffffff819e356e>] entry_SYSCALL_64_fastpath+0x12/0x71
Code: c8 48 83 c2 04 89 c1 e9 48 ff ff ff 0f 1f 44 00 00 55 48 89 e5 41 
54 49 89 f4 53 49 89 7c 24 10 48 89 fb 48 c7 46 18 00 00 00 00 <8b> 47 
40 be c0 00 40 02 8d 7c 00 04 e8 35 4e ee ff 48 85 c0 74
RIP  [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
  RSP <ffff8800148279c8>
CR2: 0000000000000040
---[ end trace da9ee4ec66b489ef ]---
mount (981) used greatest stack depth: 28992 bytes left

That seems to be:

ffffffff8126c6fa fs/hfs/bfind.c:20:
         ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);

I can test patches.


Vegard

--------------090406090309050106020802
Content-Type: application/x-bzip;
 name="hfs.0.bz2"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="hfs.0.bz2"

QlpoOTFBWSZTWVkpy0oAAEf//////e7qEABU1AAkHj8t1rLYMCYRJQABAGASEI5unv49wAKL
gAaVEZRKflJ6JoPQmQANDEANADQAGgGgaAADJ6ahk2o0aDTQNGgAAAAAAAAAAABoNABwAADQ
NDQ0NMgA0AAGgGhoAAGQAAJEigTJiAmJkYQBoaep6npNNGgaDJoDQ0aDRjUaaYIpFQIUaSHS
/PRxFsaBPZI9t9HmMm7kV31hNkykebLSNaVYaAQta2VipKJRrsMYLDRByxwDVrowxCYUdySS
FVEAERIAIUd8jgFIh5khlR4blhTJGrOAzBpG8yw0kio0kkhIz2kc1iASQhJKveIqYkWGlcaM
Rznx0bM3QCGpNJDYjGaFLRhZ0oEshoI3oSzR+4YCSSAADN71qSCtgQAbzDKYncrKRAw7NKBK
21Dq9aBLNGiswwmhcjVVnduQjKYXjFxU4EmckIQkkAAHOawXjtVWsVgQ0F80U2hZzFNgDYIK
PlhLLsQYgxHQYBSaNbR2Jz57Ck/uRD2oLLC7gw36MmArUa6kVGVe/AkJJAABpsVfQjr58EMC
bzGFMZ+2pM2A3FQ313LNulksYwm3PalrNGHXtWpqwMWo2+FnjYGK12oL9wV1P2NAQ5Wbfvrc
yifFl8/U0iOLTtZdetSW8xXbN5RmIzhnKYXGipfTkE6UyQYDMNoxmahj+GjMOp4sDqzL58Fb
Z1XLIEXJDoK+y8CxY5KsI1oEprTLNxI+k0QNQ92QgaTT7cYy14hbZJUVr7bJv+tUf0boX6qb
iu5AZRQZTqq6GaG7QC/6OlubO/VXCC4EcTFK3cgNBcW/85hhrhSNJVKdA9aSgj0bv1q51sMF
Jp0D1GUuoaDgaRnRcrN8oTA+p8pJRwMIQJJAABK9pylxjIGP0svX/pn2cmQ6VuLr/JDKyoKi
kqxIh/xdyRThQkFkpy0o
--------------090406090309050106020802--