[Bug 269561] tarfs can crash if tarfile root entry is really a block file

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 14 Feb 2023 21:46:25 UTC

            Bug ID: 269561
           Summary: tarfs can crash if tarfile root entry is really a
                    block file
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 240162
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=240162&action=edit
tar file whose first entry is a "block device", causes tarfs to crash

tarfs_lookup_node() uses tnp->dir.dirhead without checking that
tnp->type is VDIR. If the first entry in the tar file has type
TAR_TYPE_BLOCK, then tnp->dir.dirhead actually contains the
major/minor device numbers, and tarfs_lookup_node() dereferences it
and (depending on what's there) crashes.

I've attached a demo tar file:

# mount -t tarfs tarfs1c.tar /mnt
panic: Fatal page fault at 0xffffffc00025d32e: 0x00006000000080
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x6000000080
tarfs_lookup_node() at tarfs_lookup_node+0x32
tarfs_lookup_path() at tarfs_lookup_path+0x18e
tarfs_alloc_one() at tarfs_alloc_one+0x66c
tarfs_alloc_mount() at tarfs_alloc_mount+0x150
tarfs_mount() at tarfs_mount+0x2c2
vfs_domount_first() at vfs_domount_first+0x1ae
vfs_domount() at vfs_domount+0x25c
vfs_donmount() at vfs_donmount+0x75e
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)

You are receiving this mail because:
You are the assignee for the bug.