Re: Mounting corrupted HFS+ causes kernel NULL pointer dereference

From: Anatoly Trosinenko
Date: Tue Jul 10 2018 - 14:57:41 EST

Next message: Mark Rutland: "Re: [PATCH v5 7/7] arm64: perf: Add support for chaining event counters"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 01/47] usb: cdc_acm: Add quirk for Uniden UBC125 scanner"
In reply to: Ernesto A. FernÃndez: "Re: Mounting corrupted HFS+ causes kernel NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> This should be fixed, but
> it's not as big an issue as the deadlock. Filesystems usually don't need
> to worry about protecting a crafted image from acting weird and causing
> damage to itself.

I just thought that deadlocking a single thread is not much worse than
further damaging already damaged FS and is not very dangerous (since
it's not a NULL dereference or something like this). If it is or only
malicious image can probably be damaged this way then I have no
objections or further requests, so please excuse me for unclear
wordings.

Thanks,
Anatoly
ÐÑ, 10 ÐÑÐ. 2018 Ð. Ð 21:38, Ernesto A. FernÃndez
<ernesto.mnd.fernandez@xxxxxxxxx>:
>
> On Tue, Jul 10, 2018 at 08:28:37PM +0300, Anatoly Trosinenko wrote:
> > Thank you,
> >
> > When applied this single patch on v4.18-rc4 and performed "echo >
> > /mnt/xyz" on hfsplus_16mb_hang image, I get about 14 pairs of lines
> >
> > hfsplus: unable to mark blocks free: error -5
> > hfsplus: can't free extent
> >
> > Then `echo` exits with "No space left on device" error.
>
> Truncation does not return error codes in hfsplus, hence this weird "No
> space left" that comes from somewhere else. This should be fixed, but
> it's not as big an issue as the deadlock. Filesystems usually don't need
> to worry about protecting a crafted image from acting weird and causing
> damage to itself.
>
> >Then it
> > permits to perform `rm /mnt/xyz` and on `echo > /mnt/1` it responds
> > with no space left on device (but file *is* created and is cattable).
> > I don't know what is safer, but now it doesn't deadlock. :) Maybe it
> > is even worth to remount FS r/o, I don't know. (Please excuse me for
> > speculations)
>
> It's not strange that the /mnt/1 file could be created but not written
> to, since the first operation doesn't usually require allocating blocks.
>
> >
> > Thanks,
> > Anatoly
>
> OK, I'll take a look at the truncation error codes as soon as I'm done
> with the other deadlocks I found. It could take a while.
>
> Thanks for the testing.
> Ernest
>
> > ÐÐ, 9 ÐÑÐ. 2018 Ð. Ð 23:35, Ernesto A. FernÃndez
> > <ernesto.mnd.fernandez@xxxxxxxxx>:
> > >
> > > On Tue, Jun 12, 2018 at 09:43:26PM +0300, Anatoly Trosinenko wrote:
> > > > And when I mount hfsplus_16mb_hang and perform `echo > /mnt/xyz`, it hangs.
> > >
> > > I just sent you a patch for this final report. Let me know if it works
> > > for you.

Next message: Mark Rutland: "Re: [PATCH v5 7/7] arm64: perf: Add support for chaining event counters"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 01/47] usb: cdc_acm: Add quirk for Uniden UBC125 scanner"
In reply to: Ernesto A. FernÃndez: "Re: Mounting corrupted HFS+ causes kernel NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]