Re: BUG: unable to handle kernel NULL pointer dereference in __bread_gfp

[Jan Kara <jack@suse.cz>]

Hello!

On Wed 11-03-26 16:19:41, Jianzhou Zhao wrote:
> Subject: [BUG] isofs: kernel NULL pointer dereference in __bread_gfp
> 
> Dear Maintainers,
> 
> We are writing to report a NULL pointer dereference vulnerability within the JFS/ISOFS mounting architecture. This bug was found by our custom fuzzing tool, RacePilot. The bug occurs because `isofs_fill_super()` initiates disk reads via `sb_bread()` immediately relying on the superblock's `s_bdev` block device map being valid, which triggers an immediate NULL pointer dereference inside the `__bread_gfp()` buffer logic if a corrupted/malformed mount request bypasses or fails basic block device bindings. We observed this bug on the Linux kernel version 6.18.0-08691-g2061f18ad76e-dirty.
> 
> Call Trace & Context
> ==================================================================
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 33da6067 P4D 33da6067 PUD 0 
> Oops: Oops: 0002 [#1] SMP NOPTI
> CPU: 1 UID: 0 PID: 12411 Comm: syz.8.1172 Not tainted 6.18.0-08691-g2061f18ad76e-dirty #50 PREEMPT(voluntary) 
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> 
> Call Trace:
>  <TASK>
>  sb_bread include/linux/buffer_head.h:346 [inline]
>  isofs_fill_super+0x2ff/0x1900 fs/isofs/inode.c:632
>  get_tree_bdev_flags+0x256/0x370 fs/super.c:1699
>  get_tree_bdev+0x1f/0x30 fs/super.c:1722
>  isofs_get_tree+0x1c/0x30 fs/isofs/inode.c:1538
>  vfs_get_tree+0x51/0x1a0 fs/super.c:1759
>  fc_mount+0x1a/0x130 fs/namespace.c:1199
>  do_new_mount_fc fs/namespace.c:3636 [inline]
>  do_new_mount fs/namespace.c:3712 [inline]
>  path_mount+0x105c/0x1830 fs/namespace.c:4022
>  do_mount fs/namespace.c:4035 [inline]
>  __do_sys_mount fs/namespace.c:4224 [inline]
>  __se_sys_mount fs/namespace.c:4201 [inline]
>  __x64_sys_mount+0x1d7/0x210 fs/namespace.c:4201
>  ...
> ==================================================================

Hrm, OK.

> Root Cause Analysis
> A NULL pointer dereference takes place within the deepest buffer
> traversal locks. When fuzzy mounts present a dummy context, network
> stream, or loopback context absent of a strict block device assignment,
> `get_tree_bdev_flags` may pass down a partially mapped `super_block`
> containing `s->s_bdev == NULL`. The `isofs_fill_super()` code makes no
> defensive verification of `s->s_bdev` before executing
> `bdev_logical_block_size(s->s_bdev)` and `sb_bread(s, block)`, which
> ultimately cascades down to `__bread_gfp` attempting atomic flag
> acquisitions unconditionally against a zero-target address.

But this justification just doesn't make sense. When creating new
superblock setup_bdev_super() does set sb->s_bdev to non-NULL value. If
isofs_fill_super() called shortly afterwards got superblock with NULL
sb->s_bdev, it points to memory corruption or something similar going on.

> Unfortunately, we were unable to generate a reproducer for this bug.

And without a reproducer you never know. I'd say don't even bother with
reporting if you don't have a reliable reproducer of the crash, nobody is
going to have a look at it as it's mostly a waste of time.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR