Unlinking a file on a broken UDF image causes kernel BUG

From: Anatoly Trosinenko
Date: Sun Oct 14 2018 - 11:27:43 EST


When unlinking a file on a fuzzed UDF image, the kernel BUG is triggered.

How to reproduce (with kvm-xfstests):

1) Checkout udf/for_next (commit 3df77b04f)
2) Copy x86_64-config-4.14 to .config, execute `make olddefconfig`,
then enable UDF support and compile the kernel
3) Copy the attached reproducer to
/tmp/kvm-xfstests-$USER/dump_udf.img (1 Mb uncompressed)
4) Run `kvm-xfstests shell`
5) Inside the shell:

root@kvm-xfstests:~# mount /vtmp
root@kvm-xfstests:~# mount /vtmp/dump_udf.img /mnt
[ 20.324420] UDF-fs: error (device loop0): udf_process_sequence:
Primary Volume Descriptor not found!
[ 20.325825] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp
2018/06/27 18:03 (1000)
root@kvm-xfstests:~# unlink /mnt/foo
[ 28.638288] ------------[ cut here ]------------
[ 28.638906] kernel BUG at fs/udf/truncate.c:219!
[ 28.639501] invalid opcode: 0000 [#1] SMP PTI
[ 28.639946] CPU: 1 PID: 365 Comm: unlink Not tainted
4.19.0-rc2-xfstests-00028-g3df77b04f62 #1
[ 28.640803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[ 28.641772] RIP: 0010:udf_truncate_extents+0x2f3/0x300
[ 28.642293] Code: 93 d0 fe ff ff 8d b2 d8 00 00 00 81 c2 b0 00 00
00 83 e1 08 0f 45 d6 29 d0 41 89 c6 e9 17 fe ff ff 0f 0b 0f 0b e8 6d
7d d3 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 53
48 89
[ 28.644136] RSP: 0018:ffff9b29408d7d80 EFLAGS: 00010206
[ 28.644664] RAX: 0000000000000004 RBX: ffff943c78e8d190 RCX: 0000000000000009
[ 28.645376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff943c78e8d190
[ 28.646087] RBP: ffff943c7b986000 R08: 00000009676e2d1c R09: 0000000000000001
[ 28.646801] R10: 0000000000000001 R11: 0000000000000000 R12: ffff943c78e8d088
[ 28.647512] R13: 0000000000000000 R14: 0000000000000002 R15: ffff943c78e8d190
[ 28.648223] FS: 0000000000000000(0000) GS:ffff943c7dc00000(0063)
knlGS:00000000f7f4a800
[ 28.649028] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 28.649603] CR2: 00000000f7e5ae20 CR3: 000000007822e002 CR4: 00000000003606e0
[ 28.650337] Call Trace:
[ 28.650589] ? udf_setsize+0x281/0x3e0
[ 28.650981] udf_setsize+0x289/0x3e0
[ 28.651349] ? evict+0xba/0x1a0
[ 28.651673] udf_evict_inode+0x86/0xe0
[ 28.652057] evict+0xd0/0x1a0
[ 28.652365] do_unlinkat+0x1ad/0x310
[ 28.652732] do_fast_syscall_32+0x9d/0x2f0
[ 28.653151] entry_SYSENTER_compat+0x84/0x96
[ 28.653603] ---[ end trace 7a5c71f2169e9e21 ]---
[ 28.654073] RIP: 0010:udf_truncate_extents+0x2f3/0x300
[ 28.654595] Code: 93 d0 fe ff ff 8d b2 d8 00 00 00 81 c2 b0 00 00
00 83 e1 08 0f 45 d6 29 d0 41 89 c6 e9 17 fe ff ff 0f 0b 0f 0b e8 6d
7d d3 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 53
48 89
[ 28.656501] RSP: 0018:ffff9b29408d7d80 EFLAGS: 00010206
[ 28.657038] RAX: 0000000000000004 RBX: ffff943c78e8d190 RCX: 0000000000000009
[ 28.657734] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff943c78e8d190
[ 28.658456] RBP: ffff943c7b986000 R08: 00000009676e2d1c R09: 0000000000000001
[ 28.659172] R10: 0000000000000001 R11: 0000000000000000 R12: ffff943c78e8d088
[ 28.659895] R13: 0000000000000000 R14: 0000000000000002 R15: ffff943c78e8d190
[ 28.660614] FS: 0000000000000000(0000) GS:ffff943c7dc00000(0063)
knlGS:00000000f7f4a800
[ 28.661425] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 28.662006] CR2: 00000000f7e5ae20 CR3: 000000007822e002 CR4: 00000000003606e0
Segmentation fault
root@kvm-xfstests:~#

Best regards
Anatoly

Attachment: dump_udf.img.bz2
Description: Binary data