Bug 263822 - ffs(4): malicious USB memory stick can cause panic in FFS taste code: panic: Assertion size > 0 failed at /usr/rtm/symbsd/src/sys/kern/subr_vmem.c:1332
Summary: ffs(4): malicious USB memory stick can cause panic in FFS taste code: panic: ...
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords: crash, needs-qa
Depends on:
Blocks: 263979
  Show dependency treegraph
 
Reported: 2022-05-06 16:54 UTC by Robert Morris
Modified: 2022-05-27 19:29 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback? (mckusick)
koobs: mfc-stable13?
koobs: mfc-stable12?

Attachments
A disk image that causes a panic in ffs_sbget() during tasting. (8.00 KB, application/octet-stream)
2022-05-06 16:54 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2022-05-06 16:54:40 UTC 
Created attachment 233775 [details]
A disk image that causes a panic in ffs_sbget() during tasting.

If ffs_sbget() sees a superblock with fs_cssize and fs_ncg equal to
0xffffffff, the kernel panics because this UFS_MALLOC() is passed a
negative size:

        size = fs->fs_cssize;
        ...
        if (fs->fs_contigsumsize > 0)
                size += fs->fs_ncg * sizeof(int32_t);
        size += fs->fs_ncg * sizeof(u_int8_t);
        ...
        if ((space = UFS_MALLOC(size, filltype, M_WAITOK)) == NULL) {

The taste system calls ffs_sbget() for any newly attached storage
device. So a user can get this crash upon inserting a USB stick even
if they don't try to mount it as FFS.

This might be similar to or the same as
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257557
but this report details the specific cause.

I've attached a demo disk image:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #202 main-n250917-440e36e68279-dirty: Fri May  6 10:56:11 EDT 2022     rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# mdconfig -f taste5b.img
panic: Assertion size > 0 failed at /usr/rtm/symbsd/src/sys/kern/subr_vmem.c:1332                                                                               
cpuid = 0
time = 1651834366
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x16e
panic() at panic+0x2a
vmem_alloc() at vmem_alloc+0xc8
kmem_malloc_domain() at kmem_malloc_domain+0x54
kmem_malloc_domainset() at kmem_malloc_domainset+0x36
malloc_large() at malloc_large+0x2a
malloc() at malloc+0xf8
ffs_sbget() at ffs_sbget+0x13c
g_label_ufs_taste_common() at g_label_ufs_taste_common+0x6c
g_label_ufs_id_taste() at g_label_ufs_id_taste+0xe
g_label_taste() at g_label_taste+0x198
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x106
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
KDB: enter: panic
[ thread pid 13 tid 100017 ]
Stopped at      breakpoint+0xa: c.ldsp  s0,0(sp)
db>
Comment 1 Kirk McKusick freebsd_committer 2022-05-16 00:20:35 UTC 
Please check to see if my proposed change in https://reviews.freebsd.org/D35219 resolves this bug.
Comment 2 Robert Morris 2022-05-18 09:25:06 UTC 
(In reply to Kirk McKusick from comment #1)
Yes -- your validate_sblock() of Apr 12 makes this problem go away.
Comment 3 Kirk McKusick freebsd_committer 2022-05-21 23:24:58 UTC 
(In reply to Robert Morris from comment #2)
Could you recheck with my updated patch of May 21 to ensure my relaxed checks did not reopen the vulnerability.
Comment 4 Robert Morris 2022-05-22 19:18:05 UTC 
(In reply to Kirk McKusick from comment #3)
Yes -- your patch of May 21 makes this problem go away for me.
Comment 5 Kirk McKusick freebsd_committer 2022-05-27 19:29:39 UTC 
Fixed by https://reviews.freebsd.org/D35219

Will close when MFC'ed to 13.