Bug 272893 - UDF logical volume descriptor can specify negative bsize, causing panic
Summary: UDF logical volume descriptor can specify negative bsize, causing panic
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-02 13:30 UTC by Robert Morris
Modified: 2023-08-10 03:17 UTC (History)
2 users (show)

See Also:

Attachments
UDF image with a negative bsize in its LVD, causing panic when mounted (22.92 KB, application/x-gzip)
2023-08-02 13:30 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-08-02 13:30:27 UTC 
Created attachment 243798 [details]
UDF image with a negative bsize in its LVD, causing panic when mounted

udf_mountfs() reads the block size from the UDF disk:

                        udfmp->bsize = le32toh(lvd->lb_size);

and passes it to bread():

        if ((error = RDSECTOR(devvp, sector, udfmp->bsize, &bp)) != 0) {

For an mdconfig'd image, the kernel tries to manipulate the page table
at an address partially derived from this bsize, and can panic if it's
negative.

I've attached a demo UDF image that says bsize is -1401851883.
This backtrace is from CURRENT on riscv64:
# gunzip udf4b.iso.gz
# mdconfig udf4b.iso
# mount_udf /dev/md0 /mnt
panic: usermode va ffffffbfb044c000
panic() at panic+0x26
pmap_qremove() at pmap_qremove+0x8e
vfs_vmio_truncate() at vfs_vmio_truncate+0x52
allocbuf() at allocbuf+0x96
getblkx() at getblkx+0x28c
breadn_flags() at breadn_flags+0x56
udf_mountfs() at udf_mountfs+0x4b8
udf_mount() at udf_mount+0x19c
vfs_domount_first() at vfs_domount_first+0x1cc
vfs_domount() at vfs_domount+0x26c
vfs_donmount() at vfs_donmount+0x82c
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xe0
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-08-04 22:50:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9e6941a2c7a393aefe6a123952c6eacbc23098a6

commit 9e6941a2c7a393aefe6a123952c6eacbc23098a6
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-08-04 22:47:09 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-08-04 22:49:36 +0000

    udf: reject invalid block sizes from lvd

    PR:     272893
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week

 sys/fs/udf/udf_vfsops.c | 5 +++++
 1 file changed, 5 insertions(+)
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-08-10 02:59:04 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=21a943407e9992a219a5fe572ee27fea9f5d2c69

commit 21a943407e9992a219a5fe572ee27fea9f5d2c69
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-08-04 22:47:09 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-08-10 02:57:29 +0000

    udf: reject invalid block sizes from lvd

    PR:     272893

    (cherry picked from commit 9e6941a2c7a393aefe6a123952c6eacbc23098a6)

 sys/fs/udf/udf_vfsops.c | 5 +++++
 1 file changed, 5 insertions(+)