From: "Aurélien Aptel" <aaptel@suse.com>
To: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] fs: NTFS read-write driver GPL implementation by Paragon Software.
Date: Fri, 14 Aug 2020 17:30:16 +0200 [thread overview]
Message-ID: <87h7t5454n.fsf@suse.com> (raw)
In-Reply-To: <2911ac5cd20b46e397be506268718d74@paragon-software.com>
I've tried this using libntfs-3g mkfs.ntfs
# mkfs.ntfs /dev/vb1
# mount -t ntfs3 /dev/vb1 /mnt
This already triggered UBSAN:
================================================================================
UBSAN: object-size-mismatch in fs/ntfs3/super.c:834:16
load of address 000000006ae096b5 with insufficient space
for an object of type 'const char'
CPU: 3 PID: 1248 Comm: mount Not tainted 5.8.0+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
Call Trace:
dump_stack+0x78/0xa0
ubsan_epilogue+0x5/0x40
ubsan_type_mismatch_common.cold+0xc8/0xcd
__ubsan_handle_type_mismatch_v1+0x32/0x37
ntfs_fill_super+0x9f/0x13e0
? vsnprintf+0x1ef/0x4f0
mount_bdev+0x193/0x1c0
Which points to:
sb->s_magic = *(unsigned long *)s_magic; /* TODO */
Maybe store ('n'<<32)|('t'<<24)|('f'<<16)|('s'<<8) ?
Seems harmless.
* * *
Then I've tried to copy /etc into it:
# cp -rp /etc /mnt
But this triggered a NULL ptr deref:
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 PID: 1255 Comm: cp Not tainted 5.8.0+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
RIP: 0010:ntfs_insert_security+0x187/0x4a0
Code: 00 48 83 c4 18 85 c0 0f 85 54 01 00 00 48 8b 44 24 50 49 8d b5 d8 01 00 00 8b 54 24 60 83 c3 14 48 89 74 24 30 48 85 c0 74 3a <39> 58 28 0f 84 7e 01 00 00 49 89 e8 48 8d 4c 24 50 4c 89 f2 4c 89
RSP: 0018:ffffac73403dfc58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 0000000000000010
RDX: 00000000000000b0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff94154ed5fe00 R08: 0000000000000000 R09: 0000000000000001
R10: ffff9415781a6180 R11: 0000000000000003 R12: ffff94155c989800
R13: ffff94151e8d2a38 R14: ffff9415781a6170 R15: ffff9415781173f0
FS: 00007fd19b86e580(0000) GS:ffff94157dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000001ac2a000 CR4: 0000000000350ef0
Call Trace:
? mark_held_locks+0x49/0x70
? lockdep_hardirqs_on_prepare+0xf7/0x190
? ktime_get_coarse_real_ts64+0x9e/0xd0
? trace_hardirqs_on+0x1c/0xe0
ntfs_create_inode+0x2db/0x11c0
ntfs_mkdir+0x58/0x90
vfs_mkdir+0x109/0x1f0
do_mkdirat+0x81/0x120
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fd19ad54dd7
Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 b9 70 2c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 70 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffec3c41588 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fd19ad54dd7
RDX: 00000000000c0001 RSI: 00000000000001c0 RDI: 000055cad585fcf0
RBP: 00007ffec3c41990 R08: 00007ffec3c41b50 R09: 00007fd19ada55c0
R10: 00000000000001ef R11: 0000000000000206 R12: 00007ffec3c41b50
R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffec3c437be
(gdb) list *(ntfs_insert_security+0x187)
0xffffffff814e5097 is in ntfs_insert_security (fs/ntfs3/fsntfs.c:1811).
1806
1807 if (!e)
1808 goto insert_security;
1809
1810 next_security:
1811 if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
1812 goto skip_read_sds;
1813
1814 err = ntfs_read_run_nb(sbi, &ni->file.run, le64_to_cpu(e->sec_hdr.off),
1815 d_security, new_sec_size, NULL);
(gdb) disas /s ntfs_insert_security
....
1811 if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
0xffffffff814e5097 <+391>: cmp %ebx,0x28(%rax) <=====
0xffffffff814e509a <+394>: je 0xffffffff814e521e <ntfs_insert_security+782>
(gdb) p/x (int)&((NTFS_DE_SDH*)0)->sec_hdr.size
$4 = 0x28
So I think 'e' is NULL. Not sure how it can happen.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
next prev parent reply other threads:[~2020-08-14 15:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-14 12:29 [PATCH] fs: NTFS read-write driver GPL implementation by Paragon Software Konstantin Komarov
2020-08-14 13:17 ` Nikolay Borisov
2020-08-14 13:40 ` David Sterba
2020-08-20 9:26 ` Konstantin Komarov
2020-08-20 10:59 ` Konstantin Komarov
2020-08-14 14:08 ` Aurélien Aptel
2020-08-20 10:20 ` Konstantin Komarov
2020-08-14 15:30 ` Aurélien Aptel [this message]
2020-08-20 10:38 ` Konstantin Komarov
2020-08-15 19:06 ` David Sterba
2020-08-16 0:42 ` Matthew Wilcox
2020-08-20 10:48 ` Konstantin Komarov
2020-08-16 7:56 ` Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7t5454n.fsf@suse.com \
--to=aaptel@suse.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.