Created attachment 240118 [details] broken tar file that causes tarfs to crash I've attached a corrupt tar file with the following content: # tar tvf tarfs10a.tar drwxr-xr-x 0 rtm wheel 0 Feb 11 12:28 ./ ---sr-Sr-T 0 rtm wheel 512 Feb 1 2189 ./d drwxr-xr-x 0 rtm wheel 0 Feb 11 12:28 ./d/ -rw-r--r-- 0 rtm wheel 2 Feb 11 12:28 ./d/b There are two entries for "d"; the first is a file, the second is a directory. When tarfs looks up d/b, this causes the parent tarfs_node passed to tarfs_alloc_node() to refer to a non-VDIR node. When mounted with tarfs on an INVARIANTS kernel, it yields the panic shown below. On a non-INVARIANTS kernel, there's a crash just after line 236 in TAILQ_INSERT_TAIL(&parent->dir.dirhead) because the parent->dir union entry isn't appropriate for a VDIR. # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #41 main-n250948-9475c0be36c7-dirty: Sun Feb 12 16:10:13 EST 2023 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # # mount -t tarfs tarfs10a.tar panic: Assertion parent->type == VDIR failed at /usr/rtm/symbsd/src/sys/fs/tarfs/tarfs_subr.c:236 panic() at panic+0x2a tarfs_alloc_node() at tarfs_alloc_node+0x380 tarfs_alloc_one() at tarfs_alloc_one+0xa9e tarfs_alloc_mount() at tarfs_alloc_mount+0x1a4 tarfs_mount() at tarfs_mount+0x4a2 vfs_domount_first() at vfs_domount_first+0x1ae vfs_domount() at vfs_domount+0x25c vfs_donmount() at vfs_donmount+0x75e sys_nmount() at sys_nmount+0x5e syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount)
This is easily fixed by removing the removing the assertion in `tarfs_alloc_node()` and instead checking, at the top, that if `parent` is not `NULL` then it is a directory, and returning an error if it isn't (which will then be propagated out). But part of me thinks this should have been caught by `tarfs_lookup_path()` before we even got to `tarfs_alloc_node()`.
See https://reviews.freebsd.org/D38587
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ae6cff89738bab9a4a956c230fb9dc6c4d5e113f commit ae6cff89738bab9a4a956c230fb9dc6c4d5e113f Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2023-02-15 02:12:45 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-02-15 02:13:11 +0000 tarfs: Don't panic if the parent of a new node is not a directory. PR: 269519 Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D38587 sys/fs/tarfs/tarfs_subr.c | 3 ++- sys/fs/tarfs/tarfs_vfsops.c | 12 +++++++++++- tests/sys/fs/tarfs/tarfs_test.sh | 30 ++++++++++++++++++++++++++---- 3 files changed, 39 insertions(+), 6 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d481dcee72a05580c4c3af4a429b1c08fa846056 commit d481dcee72a05580c4c3af4a429b1c08fa846056 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2023-02-20 21:28:53 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-02-20 21:29:19 +0000 tarfs: Really prevent descending into a non-directory. The previous fix was incorrect: we need to verify that the current node, if it exists, is not a directory, but we were checking the parent node instead. Address this, add more tests, and fix the test cleanup routines. PR: 269519, 269561 Fixes: ae6cff89738b Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D38645 sys/fs/tarfs/tarfs_vfsops.c | 17 ++++---- tests/sys/fs/tarfs/tarfs_test.sh | 87 ++++++++++++++++++++++++++++++++++------ 2 files changed, 85 insertions(+), 19 deletions(-)