Bug 244342 - geom(4): Panic plugging in UFS USB drive: panic: g_read_data(): invalid length 11866112 (13-CURRENT, 12.1-RELEASE r354233, 12.1-STABLE r358121)
Summary: geom(4): Panic plugging in UFS USB drive: panic: g_read_data(): invalid lengt...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-geom (Nobody)
URL:
Keywords: crash, needs-qa
Depends on:
Blocks: 244384 263979
  Show dependency treegraph
 
Reported: 2020-02-23 19:21 UTC by Neeraj
Modified: 2022-11-18 23:29 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback? (mckusick)
koobs: mfc-stable13?
koobs: mfc-stable12?

Attachments
Contains PoC UFS image and detailed logs includes 13-current, 12.1-release and 12.1-stable (172 bytes, text/plain)
2020-02-23 19:48 UTC, Neeraj 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Neeraj 2020-02-23 19:21:55 UTC 
Hi there,

Kernel Panic is observed while attaching the usb drive which contains malicious UFS filesystem image. No user authentication and interaction is needed.

Just flash the attached UFS image to usb drive and plug the usb drive to FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE.


[Kernel Log - FreeBSD 13-CURRENT]

freebsd dumped core - see /var/crash/vmcore.8

Wed Feb 19 16:29:20 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19
01:58:08 UTC 2020
root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: g_read_data(): invalid length 11866112

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
Superblock check-hash failed: recorded check-hash 0x11bd7e03 !=
computed check-hash 0x10378f61 (Ignored)
panic: g_read_data(): invalid length 11866112
cpuid = 3
time = 1582129685
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002c779870
vpanic() at vpanic+0x185/frame 0xfffffe002c7798d0
panic() at panic+0x43/frame 0xfffffe002c779930
g_read_data() at g_read_data+0xf9/frame 0xfffffe002c779970
g_use_g_read_data() at g_use_g_read_data+0x35/frame 0xfffffe002c779990
ffs_sbget() at ffs_sbget+0x24f/frame 0xfffffe002c779a00
g_label_ufs_taste_common() at g_label_ufs_taste_common+0x79/frame
0xfffffe002c779a40
g_label_taste() at g_label_taste+0x2ac/frame 0xfffffe002c779b50
g_new_provider_event() at g_new_provider_event+0xaa/frame 0xfffffe002c779b70
g_run_events() at g_run_events+0x176/frame 0xfffffe002c779bb0
fork_exit() at fork_exit+0x80/frame 0xfffffe002c779bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe002c779bf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
Uptime: 15m6s
Dumping 268 out of 4062 MB:..6%..12%..24%..36%..42%..54%..66%..72%..84%..96%

[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.
Comment 1 Neeraj 2020-02-23 19:48:53 UTC 
Created attachment 211867 [details]
Contains PoC UFS image and detailed logs includes 13-current, 12.1-release and 12.1-stable
Comment 2 Kirk McKusick freebsd_committer freebsd_triage 2022-05-16 00:28:36 UTC 
Please check to see if my proposed change in https://reviews.freebsd.org/D35219 resolves this bug.
Comment 3 Kirk McKusick freebsd_committer freebsd_triage 2022-11-18 23:29:59 UTC 
Fixed in 14 as detailed in https://reviews.freebsd.org/D35219

MFC'ed to 13 with commit b999366aab4e2d59cb8869b0e5ef0f70ab9b9bbe on Fri May 27 12:21:11 2022 -0700

Too old in 12 life to be candidate for MFC.