Created attachment 228583 [details] A damaged ext3 disk image that causes INVARIANT failures. I've attached a damaged ext3 file system that trips over two INVARIANTS in CURRENT: VNASSERT failed: vp->v_type != VNON not true at /usr/src/sys/kern/vfs_cache.c:2404 (cache_enter_time) panic: Assertion dvp != *vpp failed at /usr/src/sys/kern/vfs_cache.c:2084 The first is caused by a directory entry that refers to an un-allocated inode; ext2_lookup_ino() calls cache_enter() regardless. The second is caused by a directory entry with i-number 2 but which is named neither . nor ..; perhaps ext2_dirbadentry() or ext2_search_dirblock() should filter these out. To see a panic on a CURRENT system with INVARIANTS: # uname -a FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n248636-d20e9e02db3: Thu Aug 12 05:47:18 UTC 2021 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip ext36.img.gz # mdconfig -f ext36.img md0 # mount -t ext2fs -o ro /dev/md0 /mnt # ls -l /mnt VNASSERT failed: vp->v_type != VNON not true at /usr/src/sys/kern/vfs_cache.c:2402 (cache_enter_time)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=366da717deda3964ae369f1f2fbd62114d14c587 commit 366da717deda3964ae369f1f2fbd62114d14c587 Author: Fedor Uporov <fsu@FreeBSD.org> AuthorDate: 2023-02-09 09:34:25 +0000 Commit: Fedor Uporov <fsu@FreeBSD.org> CommitDate: 2023-03-18 06:16:22 +0000 Add root directory entry check. Add check that directory entry with ino=EXT2_ROOTINO have correct namelength and name. It is possible to create malicious image which will cause panic if root directory entry have incorrect name. PR: 259068 Reported by: Robert Morris Reviewed by: pfg MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D38502 sys/fs/ext2fs/ext2_lookup.c | 7 +++++++ 1 file changed, 7 insertions(+)