Created attachment 211872 [details] Contains PoC UFS image and detailed logs includes 13-current, 12.1-release and 12.1-stable Hi there, Kernel Panic is observed while mounting the usb drive which contains malicious UFS filesystem image. But if the automount is configured or user has ability to mount the usb drive then during mount kernel panic occurs. No user authentication and interaction is needed in case of automount is configured, tested with "/etc/fstab". Just flash the attached UFS image to usb drive and plug the usb drive to FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE, then mount it. [Kernel Log - FreeBSD 13-CURRENT] freebsd dumped core - see /var/crash/vmcore.3 Wed Feb 19 18:42:20 UTC 2020 FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19 01:58:08 UTC 2020 root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 panic: getblk: size(75776) > maxbcachebuf(65536) GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: panic: getblk: size(75776) > maxbcachebuf(65536) cpuid = 2 time = 1582135933 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0039ea3320 vpanic() at vpanic+0x185/frame 0xfffffe0039ea3380 panic() at panic+0x43/frame 0xfffffe0039ea33e0 getblkx() at getblkx+0x807/frame 0xfffffe0039ea34b0 breadn_flags() at breadn_flags+0x44/frame 0xfffffe0039ea3520 ffs_use_bread() at ffs_use_bread+0x70/frame 0xfffffe0039ea3590 ffs_sbget() at ffs_sbget+0x24f/frame 0xfffffe0039ea3600 ffs_mount() at ffs_mount+0xdf3/frame 0xfffffe0039ea37b0 vfs_domount() at vfs_domount+0x83c/frame 0xfffffe0039ea39e0 vfs_donmount() at vfs_donmount+0x911/frame 0xfffffe0039ea3a80 sys_nmount() at sys_nmount+0x69/frame 0xfffffe0039ea3ac0 amd64_syscall() at amd64_syscall+0x168/frame 0xfffffe0039ea3bf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0039ea3bf0 --- syscall (378, FreeBSD ELF64, sys_nmount), rip = 0x8002f7a1a, rsp = 0x7fffffffd3b8, rbp = 0x7fffffffd920 --- KDB: enter: panic Uptime: 39m54s Dumping 258 out of 4062 MB:..7%..13%..25%..31%..44%..56%..62%..75%..81%..93% [Attachments] + UFS filesystem image + detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.
^Triage: Set to earliest confirmed supported branch version
Please check to see if my proposed change in https://reviews.freebsd.org/D35219 resolves this bug.
Fixed in 14 as detailed in https://reviews.freebsd.org/D35219 MFC'ed to 13 with commit b999366aab4e2d59cb8869b0e5ef0f70ab9b9bbe on Fri May 27 12:21:11 2022 -0700 Too old in 12 life to be candidate for MFC.