From nobody Mon Jul 31 11:13:13 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RDwb65yqHz4q378 for ; Mon, 31 Jul 2023 11:13:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RDwZy3h3Lz3rfb for ; Mon, 31 Jul 2023 11:13:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690801994; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n34c9z4MYitVAXDgRBACmHwb260vft1Moj7AacSJF30=; b=kIlnJaM1S/bxaCXNZxpwQsdS2ynoz6NFeisJC9pgf+vrr0uGWPNyaaSyEX9FMSYUzMklXm 5hCjyswGRpQtM4OMdd7uuYcHRkCEA9oKRonABxu5YRNtugjP93KEIR+rhp/lRg4MIEq6Ru uRN07cTHMOecgLUkOngEFRSrHRb95mbCOBqYoKo3A/FUsR7iG0QPaRzYcnuGAr4s1a5X9N PT78t/JtHLo2x8RKeBKFVI9cmG1Cyd4FSm/PDgOaPpjgwVXcGZwUI9VsJr2Qxqg6MABMJh OCF0T9PTAp1dyhqht+Z5VaLO7dPJZ4S4F6He3ctDJUaRgO2y9GUeDEBuRIyZ8A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690801994; a=rsa-sha256; cv=none; b=MqImZ1zrjUxa//QBZvvz3mR2/xaoZqlhhThahRcXxAs4u9vh2Lev8zUbV3oL7HTTJoLJit udfAOFJoAQtHkLxTzDH8PmGsuX3aHN9ixf4SOq7+WOzZvMjpBgpFugieVA86EaJoTC00Xk 5dFGhUFCPn6A4a16z2WygwWNc+1T1UphpINnxDy15etS6hVGOwNXwcj0g0YQJvlWC7uhUj nQtPJRDcgY6We5xHiUY7g1LJ2KWusvsdExaqi7DAc8wwA/DDNmoqVNrgVDyFqIuhHrVVm2 n3L9fY2CiOXCymR2vrGmrf+PxpVJy6yEZjeAdLpK4ns++DEUqDoJIMKjwbJzxA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RDwZx6k05ztY7 for ; Mon, 31 Jul 2023 11:13:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36VBDDu6011808 for ; Mon, 31 Jul 2023 11:13:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36VBDDYI011807 for bugs@FreeBSD.org; Mon, 31 Jul 2023 11:13:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272840] too-large root_icb.len on UDF file system causes crash Date: Mon, 31 Jul 2023 11:13:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272840 Bug ID: 272840 Summary: too-large root_icb.len on UDF file system causes crash Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu The attached corrupt UDF image claims a root directory file entry length of root_icb.len=3D64650 (one might expect 2048). During mount, udf_readdevblks() rounds this up to 65536, and this line in getblkx() increases it to 67584: maxsize =3D size + (offset & PAGE_MASK); getnewbuf_kva() further increases the size to 81920. On an INVARIANTS kernel, this KASSERT fails in bufkva_alloc(): KASSERT(maxsize <=3D maxbcachebuf, ("bufkva_alloc kva too large %d %u", maxsize, maxbcachebuf)); panic: bufkva_alloc kva too large 81920 65536 On a non-INVARIANTS CURRENT kernel, this leads to a kernel page fault during unmount. On a stock 13.1 kernel, nothing bad happens right away but eventually file system problems arise. Here's the back-trace on an INVARIANTS kernel: # mdconfig -f udf4a.iso # mount_udf /dev/md0 /mnt panic: bufkva_alloc kva too large 81920 65536 panic() at panic+0x26 bufkva_alloc() at bufkva_alloc+0x104 getnewbuf_kva() at getnewbuf_kva+0x2a getnewbuf() at getnewbuf+0xec getblkx() at getblkx+0x188 breadn_flags() at breadn_flags+0x56 udf_readdevblks() at udf_readdevblks+0x52 udf_mountfs() at udf_mountfs+0x574 udf_mount() at udf_mount+0x19c vfs_domount_first() at vfs_domount_first+0x1cc vfs_domount() at vfs_domount+0x26c vfs_donmount() at vfs_donmount+0x82c sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xe0 ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf2 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount) --=20 You are receiving this mail because: You are the assignee for the bug.=