244349 – [5] [Kernel panic: wrong length 34560 for sectorsize 512] observed while plugging the UFS USB drive on FreeBSD 13-CURRENT

Bug 244349 - [5] [Kernel panic: wrong length 34560 for sectorsize 512] observed while plugging the UFS USB drive on FreeBSD 13-CURRENT

Summary: [5] [Kernel panic: wrong length 34560 for sectorsize 512] observed while plug...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-geom (Nobody)

URL:
Keywords:

Depends on:
Blocks:	244384
	Show dependency tree / graph

Reported:	2020-02-23 20:13 UTC by Neeraj
Modified:	2022-11-18 23:27 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Contains PoC UFS image and detailed logs includes 13-current (188 bytes, text/plain) 2020-02-23 20:13 UTC, Neeraj	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Neeraj 2020-02-23 20:13:27 UTC

Created attachment 211871 [details]
Contains PoC UFS image and detailed logs includes 13-current

Hi there,

Kernel Panic is observed while attaching the usb drive which contains malicious UFS filesystem image. No user authentication and interaction is needed.

Just flash the attached UFS image to usb drive and plug the usb drive to FreeBSD 13-CURRENT.

This doesn't observe on 
+ FreeBSD 12.1-RELEASE r354233
+ FreeBSD 12.1-STABLE r358121.

[Kernel Log - FreeBSD 13-CURRENT]

freebsd dumped core - see /var/crash/vmcore.6

Wed Feb 19 15:59:08 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19
01:58:08 UTC 2020
root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: wrong length 34560 for sectorsize 512

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
Superblock check-hash failed: recorded check-hash 0xc0428f31 !=
computed check-hash 0x5efc8da1 (Ignored)
panic: wrong length 34560 for sectorsize 512
cpuid = 0
time = 1582127757
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002c779840
vpanic() at vpanic+0x185/frame 0xfffffe002c7798a0
panic() at panic+0x43/frame 0xfffffe002c779900
g_io_request() at g_io_request+0x331/frame 0xfffffe002c779930
g_read_data() at g_read_data+0x94/frame 0xfffffe002c779970
g_use_g_read_data() at g_use_g_read_data+0x35/frame 0xfffffe002c779990
ffs_sbget() at ffs_sbget+0x24f/frame 0xfffffe002c779a00
g_label_ufs_taste_common() at g_label_ufs_taste_common+0x79/frame
0xfffffe002c779a40
g_label_taste() at g_label_taste+0x2ac/frame 0xfffffe002c779b50
g_new_provider_event() at g_new_provider_event+0xaa/frame 0xfffffe002c779b70
g_run_events() at g_run_events+0x176/frame 0xfffffe002c779bb0
fork_exit() at fork_exit+0x80/frame 0xfffffe002c779bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe002c779bf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
Uptime: 17m41s
Dumping 260 out of 4062 MB:..7%..13%..25%..31%..44%..56%..62%..74%..87%..93%

[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT

Comment 1 Kirk McKusick freebsd_committer

2022-11-18 23:27:30 UTC

Fixed in 14 as detailed in https://reviews.freebsd.org/D35219

MFC'ed to 13 with commit b999366aab4e2d59cb8869b0e5ef0f70ab9b9bbe on Fri May 27 12:21:11 2022 -0700

Too old in 12 life to be candidate for MFC.