[Bug 269519] corrupt tar file can cause tarfs file system to panic or crash
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269519] corrupt tar file can cause tarfs file system to panic or crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269519] corrupt tar file can cause tarfs file system to panic or crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269519] corrupt tar file can cause tarfs file system to panic or crash"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 12 Feb 2023 22:05:19 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269519 Bug ID: 269519 Summary: corrupt tar file can cause tarfs file system to panic or crash Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 240118 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240118&action=edit broken tar file that causes tarfs to crash I've attached a corrupt tar file with the following content: # tar tvf tarfs10a.tar drwxr-xr-x 0 rtm wheel 0 Feb 11 12:28 ./ ---sr-Sr-T 0 rtm wheel 512 Feb 1 2189 ./d drwxr-xr-x 0 rtm wheel 0 Feb 11 12:28 ./d/ -rw-r--r-- 0 rtm wheel 2 Feb 11 12:28 ./d/b There are two entries for "d"; the first is a file, the second is a directory. When tarfs looks up d/b, this causes the parent tarfs_node passed to tarfs_alloc_node() to refer to a non-VDIR node. When mounted with tarfs on an INVARIANTS kernel, it yields the panic shown below. On a non-INVARIANTS kernel, there's a crash just after line 236 in TAILQ_INSERT_TAIL(&parent->dir.dirhead) because the parent->dir union entry isn't appropriate for a VDIR. # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #41 main-n250948-9475c0be36c7-dirty: Sun Feb 12 16:10:13 EST 2023 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # # mount -t tarfs tarfs10a.tar panic: Assertion parent->type == VDIR failed at /usr/rtm/symbsd/src/sys/fs/tarfs/tarfs_subr.c:236 panic() at panic+0x2a tarfs_alloc_node() at tarfs_alloc_node+0x380 tarfs_alloc_one() at tarfs_alloc_one+0xa9e tarfs_alloc_mount() at tarfs_alloc_mount+0x1a4 tarfs_mount() at tarfs_mount+0x4a2 vfs_domount_first() at vfs_domount_first+0x1ae vfs_domount() at vfs_domount+0x25c vfs_donmount() at vfs_donmount+0x75e sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount) -- You are receiving this mail because: You are the assignee for the bug.