Bug 244352

Summary: [8] [Kernel panic: ufs_dirbad: /mnt/test: bad dir ino 2 at offset 154: mangled entry] observed while mouting the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
Product: Base System Reporter: Neeraj <neerajpal09>
Component: kernAssignee: freebsd-fs (Nobody) <fs>
Status: Closed FIXED    
Severity: Affects Only Me CC: cem, grahamperrin, mckusick
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 244384, 263979    
Attachments:
Description Flags
Contains PoC UFS image, README and detailed logs includes 13-current, 12.1-release and 12.1-stable none

Description Neeraj 2020-02-23 20:33:54 UTC 
Created attachment 211874 [details]
Contains PoC UFS image, README and detailed logs includes 13-current, 12.1-release and 12.1-stable

Hi there,

Kernel Panic is observed while mounting the usb drive which contains malicious UFS filesystem image.

But if the automount is configured or user has ability to mount the usb drive then during mount kernel panic occurs.

No user authentication and interaction is needed in case of automount is configured, tested with "/etc/fstab".

Just flash the attached UFS image to usb drive and plug the usb drive to FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE, then mount it.

[Kernel Log - FreeBSD 13-CURRENT]

freebsd dumped core - see /var/crash/vmcore.5

Wed Feb 19 18:56:31 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19 01:58:08 UTC 2020     root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: ufs_dirbad: /mnt/test: bad dir ino 2 at offset 154: mangled entry

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: ufs_dirbad: /mnt/test: bad dir ino 2 at offset 154: mangled entry
cpuid = 0
time = 1582138460
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0039f074e0
vpanic() at vpanic+0x185/frame 0xfffffe0039f07540
panic() at panic+0x43/frame 0xfffffe0039f075a0
ufs_lookup_ino() at ufs_lookup_ino+0xdd4/frame 0xfffffe0039f076c0
vfs_cache_lookup() at vfs_cache_lookup+0xa8/frame 0xfffffe0039f07710
lookup() at lookup+0x5f1/frame 0xfffffe0039f077b0
namei() at namei+0x553/frame 0xfffffe0039f078a0
kern_statat() at kern_statat+0x7f/frame 0xfffffe0039f079c0
sys_fstatat() at sys_fstatat+0x2f/frame 0xfffffe0039f07ac0
amd64_syscall() at amd64_syscall+0x168/frame 0xfffffe0039f07bf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0039f07bf0
--- syscall (552, FreeBSD ELF64, sys_fstatat), rip = 0x800419a8a, rsp = 0x7fffffffe8e8, rbp = 0x7fffffffe9a0 ---
KDB: enter: panic
Uptime: 4m42s
Dumping 260 out of 4062 MB:..7%..13%..25%..31%..43%..56%..62%..74%..86%..93%


[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.
Comment 1 Kirk McKusick freebsd_committer freebsd_triage 2022-05-16 00:24:28 UTC 
Please check to see if my proposed change in https://reviews.freebsd.org/D35219 resolves this bug.
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2022-11-18 22:43:37 UTC 
Fixed in 14 as detailed in https://reviews.freebsd.org/D35219

MFC'ed to 13 with commit b999366aab4e2d59cb8869b0e5ef0f70ab9b9bbe on Fri May 27 12:21:11 2022 -0700

Too old in 12 life to be candidate for MFC.