BUG: NULL ptr deref at 0000000000000040 (hfs_find_init+0x1a/0x60)

[Vegard Nossum]

Hi,

Mounting the attached hfs image (fuzzed) on the latest linus/master
gives me the following NULL pointer dereference:

# mount -o loop -t hfs hfs.0 /mnt/
hfs: unable to locate alternate MDB
hfs: continuing without an alternate MDB
BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
PGD 148b4067 PUD 148b3067 PMD 0
Oops: 0000 [#1] SMP KASAN
CPU: 2 PID: 981 Comm: mount Not tainted 4.4.0-rc3+ #245
task: ffff880015b25400 ti: ffff880014820000 task.ti: ffff880014820000
RIP: 0010:[<ffffffff8126c6fa>]  [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
RSP: 0018:ffff8800148279c8  EFLAGS: 00010246
RAX: ffff88001625fc90 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8800148279f0 RDI: 0000000000000000
RBP: ffff8800148279d8 R08: 0000000000000000 R09: ffff880014eb3650
R10: ffffea00005c9300 R11: 0000000000000000 R12: ffff8800148279f0
R13: ffff880015461b90 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fec8d137880(0000) GS:ffff880017000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000015806000 CR4: 00000000001406a0
Stack:
 ffff8800148100b0 0000000000000000 ffff880014827a38 ffffffff81270331
 0000000000000000 ffff880014827a08 ffffffff8118c07c 0000000000000000
 0000000000000000 ffff8800168e4e00 ffffea00005c9300 ffffed00029d66d7
Call Trace:
 [<ffffffff81270331>] hfs_ext_read_extent+0x41/0x170
 [<ffffffff8118c07c>] ? alloc_buffer_head+0x1c/0x60
 [<ffffffff81270a36>] hfs_get_block+0x146/0x1a0
 [<ffffffff8118cce3>] block_read_full_page+0x123/0x330
 [<ffffffff812708f0>] ? hfs_extend_file+0x200/0x200
 [<ffffffff81105886>] ? __add_to_page_cache_locked+0x126/0x1c0
 [<ffffffff81270e10>] ? hfs_bmap+0x20/0x20
 [<ffffffff81270e23>] hfs_readpage+0x13/0x20
 [<ffffffff81107298>] do_read_cache_page+0x78/0x190
 [<ffffffff81270460>] ? hfs_ext_read_extent+0x170/0x170
 [<ffffffff81107f34>] read_cache_page+0x14/0x20
 [<ffffffff8126e8e5>] hfs_btree_open+0x125/0x2f0
 [<ffffffff81272bf5>] hfs_mdb_get+0x3b5/0x650
 [<ffffffff8147181b>] ? string.isra.2+0x3b/0xd0
 [<ffffffff812701c7>] ? hfs_free_extents+0x37/0xc0
 [<ffffffff8127354e>] hfs_fill_super+0x1be/0x670
 [<ffffffff81473619>] ? snprintf+0x39/0x40
 [<ffffffff81116f25>] ? register_shrinker+0x75/0x90
 [<ffffffff8115deb5>] mount_bdev+0x185/0x1c0
 [<ffffffff81273390>] ? hfs_remount+0x80/0x80
 [<ffffffff81273230>] hfs_mount+0x10/0x20
 [<ffffffff8115e0e4>] mount_fs+0x34/0x160
 [<ffffffff811240b0>] ? __alloc_percpu+0x10/0x20
 [<ffffffff81178a22>] vfs_kern_mount+0x62/0x110
 [<ffffffff81179e6b>] do_mount+0x21b/0xdd0
 [<ffffffff81153a5d>] ? kasan_slab_alloc+0xd/0x10
 [<ffffffff81153472>] ? __kmalloc_track_caller+0xc2/0x180
 [<ffffffff8111f61c>] ? strndup_user+0x3c/0x50
 [<ffffffff8111f5ad>] ? memdup_user+0x3d/0x70
 [<ffffffff8117ad06>] SyS_mount+0x86/0xd0
 [<ffffffff819e356e>] entry_SYSCALL_64_fastpath+0x12/0x71
Code: c8 48 83 c2 04 89 c1 e9 48 ff ff ff 0f 1f 44 00 00 55 48 89 e5 41 
54 49 89 f4 53 49 89 7c 24 10 48 89 fb 48 c7 46 18 00 00 00 00 <8b> 47 
40 be c0 00 40 02 8d 7c 00 04 e8 35 4e ee ff 48 85 c0 74
RIP  [<ffffffff8126c6fa>] hfs_find_init+0x1a/0x60
 RSP <ffff8800148279c8>
CR2: 0000000000000040
---[ end trace da9ee4ec66b489ef ]---
mount (981) used greatest stack depth: 28992 bytes left

That seems to be:

ffffffff8126c6fa fs/hfs/bfind.c:20:
        ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);

I can test patches.


Vegard

Attachment: hfs.0.bz2
Description: application/bzip