[Bug 266693] llvm_textconf_decode() can LIST_REMOVE without previous LIST_INSERT_HEAD during taste

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266693] llvm_textconf_decode() can LIST_REMOVE without previous LIST_INSERT_HEAD during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266693] llvm_textconf_decode() can LIST_REMOVE without previous LIST_INSERT_HEAD during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266693] llvm_textconf_decode() can LIST_REMOVE without previous LIST_INSERT_HEAD during taste"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266693] llvm_textconf_decode() can LIST_REMOVE without previous LIST_INSERT_HEAD during taste"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 28 Sep 2022 21:41:59 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266693

            Bug ID: 266693
           Summary: llvm_textconf_decode() can LIST_REMOVE without
                    previous LIST_INSERT_HEAD during taste
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 236928
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=236928&action=edit
malicious disk image that causes a page fault in g_llvm_free_vg() during taste

In llvm_textconf_decode():

        /* basic checking */
        if (vg->vg_extentsize == 0)
                goto bad;

        md->md_vg = vg;
        LIST_INSERT_HEAD(&vg_list, vg, vg_next);
        G_LLVM_DEBUG(3, "vg: name=%s uuid=%s", vg->vg_name, vg->vg_uuid);
        return(0);

bad:
        g_llvm_free_vg(vg);
        return (-1);

This means g_llvm_free_vg(vg) can be called without vg having been
inserted into the list. But the latter calls LIST_REMOVE(vg, vg_next)
unconditionally.

I've attached a demo:

# kldload geom_linux_lvm
# mdconfig -f taste62b.img
panic: Fatal page fault at 0xffffffc08b604da6: 0000000000000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0
g_llvm_free_vg() at g_llvm_free_vg+0xc4
llvm_textconf_decode() at llvm_textconf_decode+0x4f4
g_llvm_read_md() at g_llvm_read_md+0x214
g_llvm_taste() at g_llvm_taste+0xd0
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x102
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #197
main-n250931-18f03443a230-dirty: Wed Sep 28 17:36:45 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv

-- 
You are receiving this mail because:
You are the assignee for the bug.