From nobody Tue Feb 14 21:46:25 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PGZXd2CKqz3q33m for ; Tue, 14 Feb 2023 21:46:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PGZXc6xkLz49Ck for ; Tue, 14 Feb 2023 21:46:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676411185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TmPaX/g63UllzMo0YNOugrSRy7pnJt4oK8x065O3NRQ=; b=NrLA0RaIX174APYiWc9WqwD42WDpvLG0C9nsCk+wfNzTZcSusQL9cU8HcVvEa3vG9+E9xq 3xVpa42H3XBysvwHQcpcNT73sKGi/f+1OEFfPJhp2RwetTfYx0UU5uoubYWs6FYKBGKsvM dWU0lbc5Mq3juBDO0/uw+HaD8lVAFYcwl8oiEzuDL3E/G4oD3yN4KKi4rrBTdpAlHtzgMJ i6ZB5IQVZPwBpso8q+9/hG5VqB6BnPiR2skSm2pa+KEcFbxMebSOISAomi6LS86aEw2VOq eJfiWRJWXdILHGmYB/uvcNzuVYisgQflUsvsv/E7OpRf1ZmV8uoospnFesz0FA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676411185; a=rsa-sha256; cv=none; b=uq55hUdhVgg3MIMi8stmwLS+7pls1ec6YQ7f5pioSfEpke2CEwiH3f6FaNUGMRCmtrsoc9 VH+598Ys4+xa32YgKNvp1ktBJE0vtcfuS1C510bAK6cK/164M8fC8zqyNi2Dd8V8evks1c bYFm2AZoVnyKYRzoaP0CExHREObZ2wPGQvBT58EzdwKUYzuo1SrCdItJIBrAMqjb2SDcEB iqw406bYjZSvtbn8NJaz8jrIYp3Pay/ckQ86oHTHhJ65pAWueUFRDARsJsdSYFvYHVOVOg 9yHNrwJwv3x5pve010+OWCOa06NbdWCP8SfjDJ4/yAu+AlGpprqW7wiZGnK/1w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PGZXc62Vmz1F1Q for ; Tue, 14 Feb 2023 21:46:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 31ELkONI065626 for ; Tue, 14 Feb 2023 21:46:24 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 31ELkO6b065625 for bugs@FreeBSD.org; Tue, 14 Feb 2023 21:46:24 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 269561] tarfs can crash if tarfile root entry is really a block file Date: Tue, 14 Feb 2023 21:46:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269561 Bug ID: 269561 Summary: tarfs can crash if tarfile root entry is really a block file Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 240162 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D240162&action= =3Dedit tar file whose first entry is a "block device", causes tarfs to crash tarfs_lookup_node() uses tnp->dir.dirhead without checking that tnp->type is VDIR. If the first entry in the tar file has type TAR_TYPE_BLOCK, then tnp->dir.dirhead actually contains the major/minor device numbers, and tarfs_lookup_node() dereferences it and (depending on what's there) crashes. I've attached a demo tar file: # mount -t tarfs tarfs1c.tar /mnt panic: Fatal page fault at 0xffffffc00025d32e: 0x00006000000080 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval =3D 0x6000000080 tarfs_lookup_node() at tarfs_lookup_node+0x32 tarfs_lookup_path() at tarfs_lookup_path+0x18e tarfs_alloc_one() at tarfs_alloc_one+0x66c tarfs_alloc_mount() at tarfs_alloc_mount+0x150 tarfs_mount() at tarfs_mount+0x2c2 vfs_domount_first() at vfs_domount_first+0x1ae vfs_domount() at vfs_domount+0x25c vfs_donmount() at vfs_donmount+0x75e sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount) --=20 You are receiving this mail because: You are the assignee for the bug.=