[Bug 200355] New: Bad function pointer invoking (lookup) when mounting a reiserfs filesystem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.kernel.org/show_bug.cgi?id=200355

            Bug ID: 200355
           Summary: Bad function pointer invoking (lookup) when mounting a
                    reiserfs filesystem
           Product: File System
           Version: 2.5
    Kernel Version: 4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ReiserFS
          Assignee: reiserfs-devel@xxxxxxxxxxxxxxx
          Reporter: wen.xu@xxxxxxxxxx
        Regression: No

Created attachment 277009
  --> https://bugzilla.kernel.org/attachment.cgi?id=277009&action=edit
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t reiserfs -o acl,user_xattr 17.img mnt

- Kernel message
[  220.327982] REISERFS (device loop0): found reiserfs format "3.6" with
standard journal
[  220.328879] REISERFS (device loop0): using ordered data mode
[  220.328886] reiserfs: using flush barriers
[  220.329795] REISERFS (device loop0): journal params: device loop0, size
8192, journal first block 18, max trans len 1024, max batch 900, max commit age
30, max trans age 30
[  220.330920] REISERFS (device loop0): checking transaction log (loop0)
[  221.226796] REISERFS (device loop0): Using r5 hash to sort names
[  221.226945] init_special_inode: bogus i_mode (0) for inode loop0:3
[  221.227056] BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
[  221.228743] PGD 80000001e3580067 P4D 80000001e3580067 PUD 1e3581067 PMD 0 
[  221.230137] Oops: 0010 [#1] SMP KASAN PTI
[  221.230970] CPU: 0 PID: 1355 Comm: mount Not tainted 4.18.0-rc1+ #8
[  221.232221] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  221.234099] RIP: 0010:          (null)
[  221.234852] Code: Bad RIP value.
[  221.235529] RSP: 0018:ffff8801f0dcf850 EFLAGS: 00010246
[  221.236598] RAX: 0000000000000000 RBX: ffff8801d0ae40b0 RCX:
ffffffffa53f316c
[  221.238013] RDX: 0000000000000000 RSI: ffff8801eae81f00 RDI:
ffff8801d0ae40b0
[  221.239429] RBP: ffff8801f0dcf900 R08: 0000000000000000 R09:
ffffed003d5d03cc
[  221.240851] R10: 0000000000000001 R11: ffffed003d5d03cb R12:
1ffff1003e1b9f0f
[  221.242263] R13: ffffffffa693aa80 R14: 0000000000000000 R15:
ffff8801eae81f00
[  221.243675] FS:  00007fd9c795b840(0000) GS:ffff8801f6e00000(0000)
knlGS:0000000000000000
[  221.245284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  221.246426] CR2: ffffffffffffffd6 CR3: 00000001f14f8000 CR4:
00000000000006f0
[  221.247854] Call Trace:
[  221.248437]  ? __lookup_slow+0x12e/0x240
[  221.249247]  ? may_delete+0x2b0/0x2b0
[  221.249994]  ? d_lookup+0x2a/0x50
[  221.250670]  lookup_one_len+0x126/0x140
[  221.251450]  ? lookup_one_len_unlocked+0xd0/0xd0
[  221.252378]  ? lookup_one_len_unlocked+0xd0/0xd0
[  221.253351]  reiserfs_xattr_init+0x30d/0x390
[  221.254243]  ? up_write+0x16/0x40
[  221.254927]  reiserfs_fill_super+0x1358/0x1550
[  221.255830]  ? finish_unfinished+0x940/0x940
[  221.256740]  ? netdev_bits+0x50/0x50
[  221.257485]  ? __asan_loadN+0xf/0x20
[  221.258215]  ? format_decode+0x2af/0x4a0
[  221.259010]  ? vsnprintf+0x55f/0x980
[  221.259734]  ? pointer+0x520/0x520
[  221.260424]  ? up_write+0x16/0x40
[  221.261112]  ? vsprintf+0x20/0x20
[  221.261799]  ? set_blocksize+0x90/0x140
[  221.262592]  mount_bdev+0x1c5/0x210
[  221.263308]  ? finish_unfinished+0x940/0x940
[  221.264174]  get_super_block+0x15/0x20
[  221.264951]  mount_fs+0x60/0x1a0
[  221.265624]  ? alloc_vfsmnt+0x309/0x360
[  221.266411]  vfs_kern_mount+0x6b/0x1a0
[  221.267179]  do_mount+0x34a/0x18c0
[  221.267899]  ? lockref_put_or_lock+0xcf/0x160
[  221.268795]  ? copy_mount_string+0x20/0x20
[  221.269625]  ? kasan_kmalloc+0xad/0xe0
[  221.270388]  ? kmem_cache_alloc_trace+0x102/0x200
[  221.271337]  ? copy_mount_options+0x4b/0x190
[  221.272202]  ? copy_mount_options+0xd5/0x190
[  221.273076]  ksys_mount+0x83/0xd0
[  221.273758]  __x64_sys_mount+0x67/0x80
[  221.274536]  do_syscall_64+0x78/0x170
[  221.275299]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  221.276333] RIP: 0033:0x7fd9c723bb9a
[  221.277070] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 
[  221.280828] RSP: 002b:00007ffe8811a7d8 EFLAGS: 00000206 ORIG_RAX:
00000000000000a5
[  221.282331] RAX: ffffffffffffffda RBX: 0000000000a96030 RCX:
00007fd9c723bb9a
[  221.283747] RDX: 0000000000a96210 RSI: 0000000000a97f50 RDI:
0000000000a9eee0
[  221.285172] RBP: 0000000000000000 R08: 0000000000a96230 R09:
0000000000000017
[  221.286585] R10: 00000000c0ed0000 R11: 0000000000000206 R12:
0000000000a9eee0
[  221.287993] R13: 0000000000a96210 R14: 0000000000000000 R15:
0000000000000005
[  221.289426] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4
soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper
crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul
aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi
floppy
[  221.305309] CR2: 0000000000000000
[  221.306217] ---[ end trace 2e85051acb5f6dc1 ]---
[  221.307178] RIP: 0010:          (null)
[  221.307948] Code: Bad RIP value.
[  221.308668] RSP: 0018:ffff8801f0dcf850 EFLAGS: 00010246
[  221.309738] RAX: 0000000000000000 RBX: ffff8801d0ae40b0 RCX:
ffffffffa53f316c
[  221.311161] RDX: 0000000000000000 RSI: ffff8801eae81f00 RDI:
ffff8801d0ae40b0
[  221.312632] RBP: ffff8801f0dcf900 R08: 0000000000000000 R09:
ffffed003d5d03cc
[  221.314061] R10: 0000000000000001 R11: ffffed003d5d03cb R12:
1ffff1003e1b9f0f
[  221.315501] R13: ffffffffa693aa80 R14: 0000000000000000 R15:
ffff8801eae81f00
[  221.316980] FS:  00007fd9c795b840(0000) GS:ffff8801f6e00000(0000)
knlGS:0000000000000000
[  221.318610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  221.319765] CR2: ffffffffffffffd6 CR3: 00000001f14f8000 CR4:
00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/namei.c#L1630
                old = inode->i_op->lookup(inode, dentry, flags);
                d_lookup_done(dentry);
                if (unlikely(old)) {
i_op->lookup seems not properly initialized

Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech.

-- 
You are receiving this mail because:
You are the assignee for the bug.--
To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux File System Development]     [Linux BTRFS]     [Linux NFS]     [Linux Filesystems]     [Ext4 Filesystem]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Resources]

  Powered by Linux