BUG: unable to handle kernel NULL pointer dereference in __bread_gfp

BUG: unable to handle kernel NULL pointer dereference in __bread_gfp

[Jianzhou Zhao]

Subject: [BUG] isofs: kernel NULL pointer dereference in __bread_gfp

Dear Maintainers,

We are writing to report a NULL pointer dereference vulnerability within the JFS/ISOFS mounting architecture. This bug was found by our custom fuzzing tool, RacePilot. The bug occurs because `isofs_fill_super()` initiates disk reads via `sb_bread()` immediately relying on the superblock's `s_bdev` block device map being valid, which triggers an immediate NULL pointer dereference inside the `__bread_gfp()` buffer logic if a corrupted/malformed mount request bypasses or fails basic block device bindings. We observed this bug on the Linux kernel version 6.18.0-08691-g2061f18ad76e-dirty.

Call Trace & Context
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 33da6067 P4D 33da6067 PUD 0 
Oops: Oops: 0002 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 12411 Comm: syz.8.1172 Not tainted 6.18.0-08691-g2061f18ad76e-dirty #50 PREEMPT(voluntary) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

Call Trace:
 <TASK>
 sb_bread include/linux/buffer_head.h:346 [inline]
 isofs_fill_super+0x2ff/0x1900 fs/isofs/inode.c:632
 get_tree_bdev_flags+0x256/0x370 fs/super.c:1699
 get_tree_bdev+0x1f/0x30 fs/super.c:1722
 isofs_get_tree+0x1c/0x30 fs/isofs/inode.c:1538
 vfs_get_tree+0x51/0x1a0 fs/super.c:1759
 fc_mount+0x1a/0x130 fs/namespace.c:1199
 do_new_mount_fc fs/namespace.c:3636 [inline]
 do_new_mount fs/namespace.c:3712 [inline]
 path_mount+0x105c/0x1830 fs/namespace.c:4022
 do_mount fs/namespace.c:4035 [inline]
 __do_sys_mount fs/namespace.c:4224 [inline]
 __se_sys_mount fs/namespace.c:4201 [inline]
 __x64_sys_mount+0x1d7/0x210 fs/namespace.c:4201
 ...
==================================================================

Execution Flow & Code Context
During an `isofs` filesystem mount sequence, the `isofs_fill_super` initialization relies heavily on establishing hardware block parameters from the primary superblock wrapper `s->s_bdev`. The driver attempts to parse Volume Descriptors iteratively across standard offsets:
```c
// fs/isofs/inode.c
static int isofs_fill_super(struct super_block *s, struct fs_context *fc)
{
	...
	for (iso_blknum = vol_desc_start+16;
		iso_blknum < vol_desc_start+100; iso_blknum++) {
		struct hs_volume_descriptor *hdp;
		struct iso_volume_descriptor  *vdp;

		block = iso_blknum << (ISOFS_BLOCK_BITS - s->s_blocksize_bits);
		if (!(bh = sb_bread(s, block))) // <-- Fatal call triggering fault
			goto out_no_read;
	...
```

The underlying `sb_bread` helper operates blindly on `s->s_bdev` mapping it directly into `__bread_gfp`:
```c
// include/linux/buffer_head.h
static inline struct buffer_head *
sb_bread(struct super_block *sb, sector_t block)
{
	return __bread_gfp(sb->s_bdev, block, sb->s_blocksize, __GFP_MOVABLE);
}
```

Root Cause Analysis
A NULL pointer dereference takes place within the deepest buffer traversal locks. When fuzzy mounts present a dummy context, network stream, or loopback context absent of a strict block device assignment, `get_tree_bdev_flags` may pass down a partially mapped `super_block` containing `s->s_bdev == NULL`. The `isofs_fill_super()` code makes no defensive verification of `s->s_bdev` before executing `bdev_logical_block_size(s->s_bdev)` and `sb_bread(s, block)`, which ultimately cascades down to `__bread_gfp` attempting atomic flag acquisitions unconditionally against a zero-target address.
Unfortunately, we were unable to generate a reproducer for this bug.

Potential Impact
This memory management gap presents a local kernel panic/Denial of Service (DoS). It manifests immediately if non-standard namespaces attempt to attach ISO images against arbitrary file descriptors instead of block device boundaries.

Proposed Fix
To intercept the vulnerability effectively, we suggest introducing a preliminary null-check protecting the interface invocations directly inside the superblock assembly:

```diff
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -598,6 +598,12 @@ static int isofs_fill_super(struct super_block *s, struct fs_context *fc)
 	 * larger than the blocksize the user specified, then use
 	 * that value.
 	 */
+	
+	if (!s->s_bdev) {
+		printk(KERN_WARNING "ISOFS: missing underlying block device\n");
+		goto out_freesbi;
+	}
+	
 	/*
 	 * What if bugger tells us to go beyond page size?
 	 */
```

We would be highly honored if this could be of any help.

Best regards,
RacePilot Team

Re: BUG: unable to handle kernel NULL pointer dereference in __bread_gfp

[Jan Kara]

Hello!

On Wed 11-03-26 16:19:41, Jianzhou Zhao wrote:
> Subject: [BUG] isofs: kernel NULL pointer dereference in __bread_gfp
> 
> Dear Maintainers,
> 
> We are writing to report a NULL pointer dereference vulnerability within the JFS/ISOFS mounting architecture. This bug was found by our custom fuzzing tool, RacePilot. The bug occurs because `isofs_fill_super()` initiates disk reads via `sb_bread()` immediately relying on the superblock's `s_bdev` block device map being valid, which triggers an immediate NULL pointer dereference inside the `__bread_gfp()` buffer logic if a corrupted/malformed mount request bypasses or fails basic block device bindings. We observed this bug on the Linux kernel version 6.18.0-08691-g2061f18ad76e-dirty.
> 
> Call Trace & Context
> ==================================================================
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 33da6067 P4D 33da6067 PUD 0 
> Oops: Oops: 0002 [#1] SMP NOPTI
> CPU: 1 UID: 0 PID: 12411 Comm: syz.8.1172 Not tainted 6.18.0-08691-g2061f18ad76e-dirty #50 PREEMPT(voluntary) 
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> 
> Call Trace:
>  <TASK>
>  sb_bread include/linux/buffer_head.h:346 [inline]
>  isofs_fill_super+0x2ff/0x1900 fs/isofs/inode.c:632
>  get_tree_bdev_flags+0x256/0x370 fs/super.c:1699
>  get_tree_bdev+0x1f/0x30 fs/super.c:1722
>  isofs_get_tree+0x1c/0x30 fs/isofs/inode.c:1538
>  vfs_get_tree+0x51/0x1a0 fs/super.c:1759
>  fc_mount+0x1a/0x130 fs/namespace.c:1199
>  do_new_mount_fc fs/namespace.c:3636 [inline]
>  do_new_mount fs/namespace.c:3712 [inline]
>  path_mount+0x105c/0x1830 fs/namespace.c:4022
>  do_mount fs/namespace.c:4035 [inline]
>  __do_sys_mount fs/namespace.c:4224 [inline]
>  __se_sys_mount fs/namespace.c:4201 [inline]
>  __x64_sys_mount+0x1d7/0x210 fs/namespace.c:4201
>  ...
> ==================================================================

Hrm, OK.

> Root Cause Analysis
> A NULL pointer dereference takes place within the deepest buffer
> traversal locks. When fuzzy mounts present a dummy context, network
> stream, or loopback context absent of a strict block device assignment,
> `get_tree_bdev_flags` may pass down a partially mapped `super_block`
> containing `s->s_bdev == NULL`. The `isofs_fill_super()` code makes no
> defensive verification of `s->s_bdev` before executing
> `bdev_logical_block_size(s->s_bdev)` and `sb_bread(s, block)`, which
> ultimately cascades down to `__bread_gfp` attempting atomic flag
> acquisitions unconditionally against a zero-target address.

But this justification just doesn't make sense. When creating new
superblock setup_bdev_super() does set sb->s_bdev to non-NULL value. If
isofs_fill_super() called shortly afterwards got superblock with NULL
sb->s_bdev, it points to memory corruption or something similar going on.

> Unfortunately, we were unable to generate a reproducer for this bug.

And without a reproducer you never know. I'd say don't even bother with
reporting if you don't have a reliable reproducer of the crash, nobody is
going to have a look at it as it's mostly a waste of time.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR