[Bug 269561] tarfs can crash if tarfile root entry is really a block file
Date: Tue, 14 Feb 2023 21:46:25 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269561
Bug ID: 269561
Summary: tarfs can crash if tarfile root entry is really a
block file
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 240162
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240162&action=edit
tar file whose first entry is a "block device", causes tarfs to crash
tarfs_lookup_node() uses tnp->dir.dirhead without checking that
tnp->type is VDIR. If the first entry in the tar file has type
TAR_TYPE_BLOCK, then tnp->dir.dirhead actually contains the
major/minor device numbers, and tarfs_lookup_node() dereferences it
and (depending on what's there) crashes.
I've attached a demo tar file:
# mount -t tarfs tarfs1c.tar /mnt
panic: Fatal page fault at 0xffffffc00025d32e: 0x00006000000080
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x6000000080
tarfs_lookup_node() at tarfs_lookup_node+0x32
tarfs_lookup_path() at tarfs_lookup_path+0x18e
tarfs_alloc_one() at tarfs_alloc_one+0x66c
tarfs_alloc_mount() at tarfs_alloc_mount+0x150
tarfs_mount() at tarfs_mount+0x2c2
vfs_domount_first() at vfs_domount_first+0x1ae
vfs_domount() at vfs_domount+0x25c
vfs_donmount() at vfs_donmount+0x75e
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)
--
You are receiving this mail because:
You are the assignee for the bug.