[Bug 287896] udf_readlink should check fentry->inf_len

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 287896] udf_readlink should check fentry->inf_len"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 29 Jun 2025 10:53:21 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287896

            Bug ID: 287896
           Summary: udf_readlink should check fentry->inf_len
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

A malformed UDF disk with a symbolic link's File Entry with a huge
(negative) inf_len can cause trouble starting with this code in
udf_readlink():

        len = le64toh(node->fentry->inf_len);
        buf = malloc(len, M_DEVBUF, M_WAITOK);
        iov[0].iov_len = len;
        iov[0].iov_base = buf;
        uio.uio_resid = iov[0].iov_len;
        error = VOP_READ(vp, &uio, 0, ap->a_cred);

I've put a demo UDF image at http://www.rtmrtm.org/rtm/udf52d.iso

(gdb) print node->fentry->inf_len
$1 = 9223369288075702256
(gdb) print/x node->fentry->inf_len
$2 = 0xffffffffffffeff0
(gdb) print len
$3 = -4112

If INVARIANTS, uiomove() will panic due to resid underflow. And I
worry that malloc() is not very robust to large negative arguments
that wrap when rounded up.

# uname -a
FreeBSD xxx 15.0-CURRENT FreeBSD 15.0-CURRENT #30 main-n275522-551d428b5bdc:
Fri Jun 27 16:05:41 AST 2025    
root@xxx:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# fetch http://www.rtmrtm.org/rtm/udf52d.iso
# mdconfig -f udf52d.iso
# mount_udf /dev/md0 /mnt
# ls -l /mnt
panic: uiomove_faultflag: uio 0xfffffe00d6de3ba8 resid underflow
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00d6de39a0
vpanic() at vpanic+0x136/frame 0xfffffe00d6de3ad0
panic() at panic+0x43/frame 0xfffffe00d6de3b30
uiomove_faultflag() at uiomove_faultflag+0x1d2/frame 0xfffffe00d6de3b70
VOP_READ_APV() at VOP_READ_APV+0x2a/frame 0xfffffe00d6de3b90
udf_readlink() at udf_readlink+0xb8/frame 0xfffffe00d6de3c50
VOP_READLINK_APV() at VOP_READLINK_APV+0x2a/frame 0xfffffe00d6de3c70
kern_readlinkat() at kern_readlinkat+0x1bf/frame 0xfffffe00d6de3de0
sys_readlink() at sys_readlink+0x26/frame 0xfffffe00d6de3e00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe00d6de3f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00d6de3f30
--- syscall (58, FreeBSD ELF64, readlink), rip = 0xd6c8f963dda, rsp =
0xd6c8ba07088, rbp = 0xd6c8ba07920 ---

-- 
You are receiving this mail because:
You are the assignee for the bug.