[Bug 272893] UDF logical volume descriptor can specify negative bsize, causing panic

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272893

            Bug ID: 272893
           Summary: UDF logical volume descriptor can specify negative
                    bsize, causing panic
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 243798
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243798&action=edit
UDF image with a negative bsize in its LVD, causing panic when mounted

udf_mountfs() reads the block size from the UDF disk:

                        udfmp->bsize = le32toh(lvd->lb_size);

and passes it to bread():

        if ((error = RDSECTOR(devvp, sector, udfmp->bsize, &bp)) != 0) {

For an mdconfig'd image, the kernel tries to manipulate the page table
at an address partially derived from this bsize, and can panic if it's
negative.

I've attached a demo UDF image that says bsize is -1401851883.
This backtrace is from CURRENT on riscv64:
# gunzip udf4b.iso.gz
# mdconfig udf4b.iso
# mount_udf /dev/md0 /mnt
panic: usermode va ffffffbfb044c000
panic() at panic+0x26
pmap_qremove() at pmap_qremove+0x8e
vfs_vmio_truncate() at vfs_vmio_truncate+0x52
allocbuf() at allocbuf+0x96
getblkx() at getblkx+0x28c
breadn_flags() at breadn_flags+0x56
udf_mountfs() at udf_mountfs+0x4b8
udf_mount() at udf_mount+0x19c
vfs_domount_first() at vfs_domount_first+0x1cc
vfs_domount() at vfs_domount+0x26c
vfs_donmount() at vfs_donmount+0x82c
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xe0
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)

-- 
You are receiving this mail because:
You are the assignee for the bug.