[Bug 269519] corrupt tar file can cause tarfs file system to panic or crash

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 12 Feb 2023 22:05:19 UTC

            Bug ID: 269519
           Summary: corrupt tar file can cause tarfs file system to panic
                    or crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 240118
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240118&action=edit
broken tar file that causes tarfs to crash

I've attached a corrupt tar file with the following content:

# tar tvf tarfs10a.tar 
drwxr-xr-x  0 rtm    wheel       0 Feb 11 12:28 ./
---sr-Sr-T  0 rtm    wheel     512 Feb  1  2189 ./d
drwxr-xr-x  0 rtm    wheel       0 Feb 11 12:28 ./d/
-rw-r--r--  0 rtm    wheel       2 Feb 11 12:28 ./d/b

There are two entries for "d"; the first is a file, the second is a
directory. When tarfs looks up d/b, this causes the parent tarfs_node
passed to tarfs_alloc_node() to refer to a non-VDIR node. When mounted
with tarfs on an INVARIANTS kernel, it yields the panic shown below.
On a non-INVARIANTS kernel, there's a crash just after line 236 in
TAILQ_INSERT_TAIL(&parent->dir.dirhead) because the parent->dir union
entry isn't appropriate for a VDIR.

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #41 main-n250948-9475c0be36c7-dirty:
Sun Feb 12 16:10:13 EST 2023    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# mount -t tarfs tarfs10a.tar
panic: Assertion parent->type == VDIR failed at
panic() at panic+0x2a
tarfs_alloc_node() at tarfs_alloc_node+0x380
tarfs_alloc_one() at tarfs_alloc_one+0xa9e
tarfs_alloc_mount() at tarfs_alloc_mount+0x1a4
tarfs_mount() at tarfs_mount+0x4a2
vfs_domount_first() at vfs_domount_first+0x1ae
vfs_domount() at vfs_domount+0x25c
vfs_donmount() at vfs_donmount+0x75e
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)

You are receiving this mail because:
You are the assignee for the bug.