LKML Archive on lore.kernel.org
 help / color / Atom feed
From: "Aurélien Aptel" <aaptel@suse.com>
To: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] fs: NTFS read-write driver GPL implementation by Paragon Software.
Date: Fri, 14 Aug 2020 17:30:16 +0200
Message-ID: <87h7t5454n.fsf@suse.com> (raw)
In-Reply-To: <2911ac5cd20b46e397be506268718d74@paragon-software.com>

I've tried this using libntfs-3g mkfs.ntfs

# mkfs.ntfs /dev/vb1
# mount -t ntfs3 /dev/vb1 /mnt

This already triggered UBSAN:

 ================================================================================
 UBSAN: object-size-mismatch in fs/ntfs3/super.c:834:16
 load of address 000000006ae096b5 with insufficient space
 for an object of type 'const char'
 CPU: 3 PID: 1248 Comm: mount Not tainted 5.8.0+ #4
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
 Call Trace:
  dump_stack+0x78/0xa0
  ubsan_epilogue+0x5/0x40
  ubsan_type_mismatch_common.cold+0xc8/0xcd
  __ubsan_handle_type_mismatch_v1+0x32/0x37
  ntfs_fill_super+0x9f/0x13e0
  ? vsnprintf+0x1ef/0x4f0
  mount_bdev+0x193/0x1c0

Which points to:

	sb->s_magic = *(unsigned long *)s_magic; /* TODO */

Maybe store ('n'<<32)|('t'<<24)|('f'<<16)|('s'<<8) ?
Seems harmless.

* * *

Then I've tried to copy /etc into it:

# cp -rp /etc /mnt

But this triggered a NULL ptr deref:

 BUG: kernel NULL pointer dereference, address: 0000000000000028
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0 
 Oops: 0000 [#1] SMP NOPTI
 CPU: 0 PID: 1255 Comm: cp Not tainted 5.8.0+ #4
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
 RIP: 0010:ntfs_insert_security+0x187/0x4a0
 Code: 00 48 83 c4 18 85 c0 0f 85 54 01 00 00 48 8b 44 24 50 49 8d b5 d8 01 00 00 8b 54 24 60 83 c3 14 48 89 74 24 30 48 85 c0 74 3a <39> 58 28 0f 84 7e 01 00 00 49 89 e8 48 8d 4c 24 50 4c 89 f2 4c 89
 RSP: 0018:ffffac73403dfc58 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000064 RCX: 0000000000000010
 RDX: 00000000000000b0 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffff94154ed5fe00 R08: 0000000000000000 R09: 0000000000000001
 R10: ffff9415781a6180 R11: 0000000000000003 R12: ffff94155c989800
 R13: ffff94151e8d2a38 R14: ffff9415781a6170 R15: ffff9415781173f0
 FS:  00007fd19b86e580(0000) GS:ffff94157dc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000028 CR3: 000000001ac2a000 CR4: 0000000000350ef0
 Call Trace:
  ? mark_held_locks+0x49/0x70
  ? lockdep_hardirqs_on_prepare+0xf7/0x190
  ? ktime_get_coarse_real_ts64+0x9e/0xd0
  ? trace_hardirqs_on+0x1c/0xe0
  ntfs_create_inode+0x2db/0x11c0
  ntfs_mkdir+0x58/0x90
  vfs_mkdir+0x109/0x1f0
  do_mkdirat+0x81/0x120
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7fd19ad54dd7
 Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 b9 70 2c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 70 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007ffec3c41588 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fd19ad54dd7
 RDX: 00000000000c0001 RSI: 00000000000001c0 RDI: 000055cad585fcf0
 RBP: 00007ffec3c41990 R08: 00007ffec3c41b50 R09: 00007fd19ada55c0
 R10: 00000000000001ef R11: 0000000000000206 R12: 00007ffec3c41b50
 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffec3c437be


(gdb) list *(ntfs_insert_security+0x187)
0xffffffff814e5097 is in ntfs_insert_security (fs/ntfs3/fsntfs.c:1811).
1806
1807            if (!e)
1808                    goto insert_security;
1809
1810    next_security:
1811            if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
1812                    goto skip_read_sds;
1813
1814            err = ntfs_read_run_nb(sbi, &ni->file.run, le64_to_cpu(e->sec_hdr.off),
1815                                   d_security, new_sec_size, NULL);

(gdb) disas /s ntfs_insert_security
....
1811            if (le32_to_cpu(e->sec_hdr.size) != new_sec_size)
   0xffffffff814e5097 <+391>:   cmp    %ebx,0x28(%rax) <=====
   0xffffffff814e509a <+394>:   je     0xffffffff814e521e <ntfs_insert_security+782>

(gdb) p/x (int)&((NTFS_DE_SDH*)0)->sec_hdr.size
$4 = 0x28

So I think 'e' is NULL. Not sure how it can happen.

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

  parent reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-14 12:29 Konstantin Komarov
2020-08-14 13:17 ` Nikolay Borisov
2020-08-14 13:40 ` David Sterba
2020-08-20  9:26   ` Konstantin Komarov
2020-08-20 10:59   ` Konstantin Komarov
2020-08-14 14:08 ` Aurélien Aptel
2020-08-20 10:20   ` Konstantin Komarov
2020-08-14 15:30 ` Aurélien Aptel [this message]
2020-08-20 10:38   ` Konstantin Komarov
2020-08-15 19:06 ` David Sterba
2020-08-16  0:42   ` Matthew Wilcox
2020-08-20 10:48   ` Konstantin Komarov
2020-08-16  7:56 ` Pali Rohár

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h7t5454n.fsf@suse.com \
    --to=aaptel@suse.com \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git