Hi, Mounting the attached hfs image (fuzzed) on the latest linus/master gives me the following NULL pointer dereference: # mount -o loop -t hfs hfs.0 /mnt/ hfs: unable to locate alternate MDB hfs: continuing without an alternate MDB BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 IP: [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60 PGD 148b4067 PUD 148b3067 PMD 0 Oops: 0000 [#1] SMP KASAN CPU: 2 PID: 981 Comm: mount Not tainted 4.4.0-rc3+ #245 task: ffff880015b25400 ti: ffff880014820000 task.ti: ffff880014820000 RIP: 0010:[<ffffffff8126c6fa>] [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60 RSP: 0018:ffff8800148279c8 EFLAGS: 00010246 RAX: ffff88001625fc90 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff8800148279f0 RDI: 0000000000000000 RBP: ffff8800148279d8 R08: 0000000000000000 R09: ffff880014eb3650 R10: ffffea00005c9300 R11: 0000000000000000 R12: ffff8800148279f0 R13: ffff880015461b90 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fec8d137880(0000) GS:ffff880017000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000000015806000 CR4: 00000000001406a0 Stack: ffff8800148100b0 0000000000000000 ffff880014827a38 ffffffff81270331 0000000000000000 ffff880014827a08 ffffffff8118c07c 0000000000000000 0000000000000000 ffff8800168e4e00 ffffea00005c9300 ffffed00029d66d7 Call Trace: [<ffffffff81270331>] hfs_ext_read_extent+0x41/0x170 [<ffffffff8118c07c>] ? alloc_buffer_head+0x1c/0x60 [<ffffffff81270a36>] hfs_get_block+0x146/0x1a0 [<ffffffff8118cce3>] block_read_full_page+0x123/0x330 [<ffffffff812708f0>] ? hfs_extend_file+0x200/0x200 [<ffffffff81105886>] ? __add_to_page_cache_locked+0x126/0x1c0 [<ffffffff81270e10>] ? hfs_bmap+0x20/0x20 [<ffffffff81270e23>] hfs_readpage+0x13/0x20 [<ffffffff81107298>] do_read_cache_page+0x78/0x190 [<ffffffff81270460>] ? hfs_ext_read_extent+0x170/0x170 [<ffffffff81107f34>] read_cache_page+0x14/0x20 [<ffffffff8126e8e5>] hfs_btree_open+0x125/0x2f0 [<ffffffff81272bf5>] hfs_mdb_get+0x3b5/0x650 [<ffffffff8147181b>] ? string.isra.2+0x3b/0xd0 [<ffffffff812701c7>] ? hfs_free_extents+0x37/0xc0 [<ffffffff8127354e>] hfs_fill_super+0x1be/0x670 [<ffffffff81473619>] ? snprintf+0x39/0x40 [<ffffffff81116f25>] ? register_shrinker+0x75/0x90 [<ffffffff8115deb5>] mount_bdev+0x185/0x1c0 [<ffffffff81273390>] ? hfs_remount+0x80/0x80 [<ffffffff81273230>] hfs_mount+0x10/0x20 [<ffffffff8115e0e4>] mount_fs+0x34/0x160 [<ffffffff811240b0>] ? __alloc_percpu+0x10/0x20 [<ffffffff81178a22>] vfs_kern_mount+0x62/0x110 [<ffffffff81179e6b>] do_mount+0x21b/0xdd0 [<ffffffff81153a5d>] ? kasan_slab_alloc+0xd/0x10 [<ffffffff81153472>] ? __kmalloc_track_caller+0xc2/0x180 [<ffffffff8111f61c>] ? strndup_user+0x3c/0x50 [<ffffffff8111f5ad>] ? memdup_user+0x3d/0x70 [<ffffffff8117ad06>] SyS_mount+0x86/0xd0 [<ffffffff819e356e>] entry_SYSCALL_64_fastpath+0x12/0x71Code: c8 48 83 c2 04 89 c1 e9 48 ff ff ff 0f 1f 44 00 00 55 48 89 e5 41 54 49 89 f4 53 49 89 7c 24 10 48 89 fb 48 c7 46 18 00 00 00 00 <8b> 47 40 be c0 00 40 02 8d 7c 00 04 e8 35 4e ee ff 48 85 c0 74
RIP [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
RSP <ffff8800148279c8>
CR2: 0000000000000040
---[ end trace da9ee4ec66b489ef ]---
mount (981) used greatest stack depth: 28992 bytes left
That seems to be:
ffffffff8126c6fa fs/hfs/bfind.c:20:
ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
I can test patches.
Vegard
Attachment:
hfs.0.bz2
Description: application/bzip
