Re: [BUG] adfs: mount-time null-ptr-deref in range [0x10-0x17] in adfs_read_map()

[Hyungjung Joo]

Hello,

I am commenting on additional information that reported a filesystem
bug reproduced on the current mainline with
KASAN enabled.

Target file: fs/adfs/map.c
Subsystem: fs/adfs
Git head: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c
Kernel release: 7.0.0-rc2+

Root cause:
The boot-block mount path accepts a disc record with `nzones==0`
because `adfs_validate_bblk()` only gates on `adfs_checkbblk()` and
`adfs_checkdiscrecord()`, and `adfs_checkdiscrecord()` never enforces
a nonzero zone count. `adfs_read_map()` then computes `nzones =
dr->nzones | dr->nzones_high << 8`, calls `kmalloc_objs(*dm, nzones)`
with zero, gets a `ZERO_SIZE_PTR` rather than `NULL`, and immediately
passes it to `adfs_map_layout()`, which writes `dm[0]` and later
`dm[nzones - 1]`, causing a mount-time kernel null/low-address
dereference.

Reproducer
C reproducer: https://pastebin.com/raw/CX7gindX
KASAN full log: https://pastebin.com/raw/f9daNJxv
Kernel config: https://pastebin.com/raw/r9FAJk2b

Key config options:
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_MULTI_SHOT=y
- CONFIG_DEBUG_KERNEL=y
- CONFIG_FRAME_POINTER=y
- CONFIG_ADFS_FS=y
- CONFIG_BLK_DEV_LOOP=y

Brief KASAN call trace:
[  158.823801][  T146] Oops: general protection fault, probably for
non-canonical address 0xdffffc0000000002: 0000 [#1] SMP
DEBUG_PAGEALLOC KASAN NOPTI
[  158.824306][  T146] KASAN: null-ptr-deref in range
[0x0000000000000010-0x0000000000000017]
[  158.824306][  T146] RIP: 0010:adfs_read_map+0x420/0xbc0
[  158.824306][  T146] Call Trace:
[  158.824306][  T146]  adfs_probe+0x3b7/0x540
[  158.824306][  T146]  adfs_fill_super+0x179/0x640
[  158.824306][  T146]  get_tree_bdev_flags+0x3aa/0x680
[  158.824306][  T146]  vfs_get_tree+0x98/0x380
[  158.824306][  T146]  fc_mount+0x1f/0x240
[  158.824306][  T146]  do_new_mount+0x3d6/0x700
[  158.824306][  T146]  path_mount+0x4bb/0x1500
[  158.824306][  T146]  __x64_sys_mount+0x2a8/0x340
[  158.824306][  T146]  do_syscall_64+0x141/0x940
[  158.824306][  T146]  entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reproducibility notes:
- observed crash: mount-time null-ptr-deref in range
[0x0000000000000010-0x0000000000000017] in adfs_read_map()
- rootfs mode: busybox
- guest /init runs the case-specific trigger binary automatically

If you need anything else, please let me know.
Thank you.

Best regards,
Hyungjung Joo, jhj140711@xxxxxxxxx

2026년 3월 8일 (일) PM 5:44, 주형정 <jhj140711@xxxxxxxxx>님이 작성:

>
> Hello,
>
> I am reporting a filesystem bug reproduced on current mainline with
> KASAN enabled.
>
> Target file: fs/adfs/map.c
> Subsystem: fs/adfs
> Git head: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c
> Kernel release: 7.0.0-rc2+
> Case ID: case-20260306T142346Z-30e0
>
> Root cause:
> The boot-block mount path accepts a disc record with `nzones==0`
> because `adfs_validate_bblk()` only gates on `adfs_checkbblk()` and
> `adfs_checkdiscrecord()`, and `adfs_checkdiscrecord()` never enforces
> a nonzero zone count. `adfs_read_map()` then computes `nzones =
> dr->nzones | dr->nzones_high << 8`, calls `kmalloc_objs(*dm, nzones)`
> with zero, gets a `ZERO_SIZE_PTR` rather than `NULL`, and immediately
> passes it to `adfs_map_layout()`, which writes `dm[0]` and later
> `dm[nzones - 1]`, causing a mount-time kernel null/low-address
> dereference.
>
> Observed crash: mount-time null-ptr-deref in range
> [0x0000000000000010-0x0000000000000017] in adfs_read_map()
>
> KASAN excerpt:
> [  144.659016][    T1] CPA  protect  Rodata RO: 0xff1100007364e000 -
> 0xff1100007364efff PFN 7364e req 8000000000000123 prevent
> 0000000000000002
> [  144.659565][    T1] CPA  protect  Rodata RO: 0xffffffffab64f000 -
> 0xffffffffab64ffff PFN 7364f req 8000000000000123 prevent
> 0000000000000002
> [  144.660563][    T1] CPA  protect  Rodata RO: 0xff1100007364f000 -
> 0xff1100007364ffff PFN 7364f req 8000000000000123 prevent
> 0000000000000002
> [  144.668921][    T1] Testing CPA: again
> [  145.133922][    T1] debug: unmapping init [mem
> 0xffffffffa9396000-0xffffffffa93fffff]
> [  145.136886][    T1] debug: unmapping init [mem
> 0xffffffffab650000-0xffffffffab7fffff]
> [  157.130123][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
> [  157.132907][    T1] rodata_test: all tests were successful
> [  157.134666][    T1] Run /init as init process
> [kaudit] guest init start
> [kaudit] guest init start
> + '[' -x /poc/serial-mark ]
> + /poc/serial-mark '[kaudit] run.sh start\n'
> [kaudit] run.sh start\n[  158.284872][  T145] serial-mark (145) used
> greatest stack depth: 8 bytes left
> + echo '[kaudit] trigger command: /poc/poc-bin'
> [kaudit] trigger command: /poc/poc-bin
> + /poc/poc-bin
> [  158.729491][  T146] loop0: detected capacity change from 0 to 8
> mounting /tmp/adfs-nzones0.img via /dev/loop0; expect crash in adfs_map_layout()
> [  158.823801][  T146] Oops: general protection fault, probably for
> non-canonical address 0xdffffc0000000002: 0000 [#1] SMP
> DEBUG_PAGEALLOC KASAN NOPTI
> [  158.824306][  T146] KASAN: null-ptr-deref in range
> [0x0000000000000010-0x0000000000000017]
> [  158.824306][  T146] CPU: 0 UID: 0 PID: 146 Comm: poc-bin Tainted: G
>        W       T   7.0.0-rc2+ #4 PREEMPT(lazy)
> f57869d565a4551be95743026afd79a1bf2712c7
> [  158.824306][  T146] Tainted: [W]=WARN, [T]=RANDSTRUCT
> [  158.824306][  T146] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.15.0-1 04/01/2014
> [  158.824306][  T146] RIP: 0010:adfs_read_map+0x420/0xbc0
> [  158.824306][  T146] Code: 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 7f 05
> 00 00 0f b7 45 0a 48 8b 54 24 10 41 29 c7 48 c1 ea 03 48 b8 00 00 00
> 00 00 fc ff df <80> 3c 02 00 44 89 7c 24 08 0f 85 12 07 00 00 48 8b 44
> 24 10 48 8d
> [  158.824306][  T146] RSP: 0018:ffa00000014a7658 EFLAGS: 00000202
> [  158.824306][  T146] RAX: dffffc0000000000 RBX: 0000000000000000
> RCX: 0000000000000000
> [  158.824306][  T146] RDX: 0000000000000002 RSI: 0000000000000000
> RDI: 0000000000000000
> [  158.824306][  T146] RBP: ff11000006345dc0 R08: 0000000000000000
> R09: 0000000000000000
> [  158.824306][  T146] R10: 0000000000000000 R11: 0000000000000000
> R12: ff11000004f04000
> [  158.824306][  T146] R13: ff11000006345dca R14: 0000000000000000
> R15: 0000000000002000
> [  158.824306][  T146] FS:  00000000004ce3c0(0000)
> GS:ff110000ab608000(0000) knlGS:0000000000000000
> [  158.824306][  T146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  158.824306][  T146] CR2: 00000000004c91a0 CR3: 000000000b0af000
> CR4: 00000000007516f0
> [  158.824306][  T146] PKRU: 55555554
> [  158.824306][  T146] Call Trace:
> [  158.824306][  T146]  <TASK>
> [  158.824306][  T146]  adfs_probe+0x3b7/0x540
> [  158.824306][  T146]  ? __pfx_adfs_validate_bblk+0x40/0x40
> [  158.824306][  T146]  ? __pfx_adfs_probe+0x40/0x40
> [  158.824306][  T146]  ? shrinker_debugfs_rename+0x1bb/0x2c0
> [  158.824306][  T146]  adfs_fill_super+0x179/0x640
> [  158.824306][  T146]  ? __pfx_adfs_fill_super+0x40/0x40
> [  158.824306][  T146]  ? kfree_const+0x5a/0x80
> [  158.824306][  T146]  ? shrinker_debugfs_rename+0x1c0/0x2c0
> [  158.824306][  T146]  ? __pfx_shrinker_debugfs_rename+0x40/0x40
> [  158.824306][  T146]  ? __pfx_snprintf+0x40/0x40
> [  158.824306][  T146]  ? tracer_preempt_on+0x44/0x5c0
> [  158.824306][  T146]  ? _raw_spin_unlock+0x2d/0x80
> [  158.824306][  T146]  ? set_blocksize+0x384/0x480
> [  158.824306][  T146]  ? sb_set_blocksize+0x1b1/0x340
> [  158.824306][  T146]  ? setup_bdev_super+0x431/0x900
> [  158.824306][  T146]  ? __pfx_super_s_dev_set+0x40/0x40
> [  158.824306][  T146]  get_tree_bdev_flags+0x3aa/0x680
> [  158.824306][  T146]  ? __pfx_adfs_fill_super+0x40/0x40
> [  158.824306][  T146]  ? __pfx_get_tree_bdev_flags+0x40/0x40
> [  158.824306][  T146]  ? rcu_is_watching+0x12/0x100
> [  158.824306][  T146]  ? cap_capable+0x142/0x380
> [  158.824306][  T146]  vfs_get_tree+0x98/0x380
> [  158.824306][  T146]  fc_mount+0x1f/0x240
> [  158.824306][  T146]  do_new_mount+0x3d6/0x700
> [  158.824306][  T146]  ? __pfx_do_new_mount+0x40/0x40
> [  158.824306][  T146]  ? cap_capable+0x142/0x380
> [  158.824306][  T146]  ? bpf_lsm_capable+0xe/0x40
> [  158.824306][  T146]  ? security_capable+0x307/0x380
> [  158.824306][  T146]  path_mount+0x4bb/0x1500
> [  158.824306][  T146]  ? kmem_cache_free+0x169/0x7c0
> [  158.824306][  T146]  ? putname+0xb9/0x140
> [  158.824306][  T146]  ? __pfx_path_mount+0x40/0x40
> [  158.824306][  T146]  ? putname+0xb9/0x140
> [  158.824306][  T146]  __x64_sys_mount+0x2a8/0x340
> [  158.824306][  T146]  ? __pfx___x64_sys_mount+0x40/0x40
> [  158.824306][  T146]  ? tracer_hardirqs_on+0x3c9/0x5c0
> [  158.824306][  T146]  ? do_syscall_64+0xa7/0x940
> [  158.824306][  T146]  do_syscall_64+0x141/0x940
> [  158.824306][  T146]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> [  158.824306][  T146] RIP: 0033:0x44a10e
> [  158.824306][  T146] Code: 48 c7 c0 ff ff ff ff eb aa e8 0e 06 00 00
> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5
> 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8
> 64 89 01 48
> [  158.824306][  T146] RSP: 002b:00007fffa4a988c8 EFLAGS: 00000202
> ORIG_RAX: 00000000000000a5
> [  158.824306][  T146] RAX: ffffffffffffffda RBX: 0000000000000000
> RCX: 000000000044a10e
> [  158.824306][  T146] RDX: 00000000004980f6 RSI: 000000000049802d
> RDI: 00007fffa4a98970
> [  158.824306][  T146] RBP: 0000000000000003 R08: 00000000004af4bd
> R09: 746365707865203b
> [  158.824306][  T146] R10: 0000000000000001 R11: 0000000000000202
> R12: 00007fffa4a98970
> [  158.824306][  T146] R13: 000000000049806e R14: 00007fffa4a988e0
> R15: 0000000000000004
> [  158.824306][  T146]  </TASK>
> [  158.824306][  T146] Modules linked in:
> [  158.854456][  T146] ---[ end trace 0000000000000000 ]---
> [  158.855680][  T146] RIP: 0010:adfs_read_map+0x420/0xbc0
> [  158.856500][  T146] Code: 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 7f 05
> 00 00 0f b7 45 0a 48 8b 54 24 10 41 29 c7 48 c1 ea 03 48 b8 00 00 00
> 00 00 fc ff df <80> 3c 02 00 44 89 7c 24 08 0f 85 12 07 00 00 48 8b 44
> 24 10 48 8d
> [  158.857115][  T146] RSP: 0018:ffa00000014a7658 EFLAGS: 00000202
> [  158.857587][  T146] RAX: dffffc0000000000 RBX: 0000000000000000
> RCX: 0000000000000000
> [  158.857962][  T146] RDX: 0000000000000002 RSI: 0000000000000000
> RDI: 0000000000000000
> [  158.858320][  T146] RBP: ff11000006345dc0 R08: 0000000000000000
> R09: 0000000000000000
> [  158.858701][  T146] R10: 0000000000000000 R11: 0000000000000000
> R12: ff11000004f04000
> [  158.859091][  T146] R13: ff11000006345dca R14: 0000000000000000
> R15: 0000000000002000
> [  158.859473][  T146] FS:  00000000004ce3c0(0000)
> GS:ff110000ab608000(0000) knlGS:0000000000000000
> [  158.859883][  T146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  158.860567][  T146] CR2: 00000000004c91a0 CR3: 000000000b0af000
> CR4: 00000000007516f0
> [  158.860946][  T146] PKRU: 55555554