[Bug 244351] [7] Kernel panic observed while plugging the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Feb 23 20:26:50 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244351

            Bug ID: 244351
           Summary: [7] Kernel panic observed while plugging the UFS USB
                    drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE
                    r354233 and FreeBSD 12.1-STABLE r358121
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: neerajpal09 at gmail.com

Created attachment 211873
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=211873&action=edit
Contains PoC UFS image and detailed logs includes 13-current, 12.1-release and
12.1-stable

Hi there,

Kernel Panic is observed while mounting the usb drive which contains malicious
UFS filesystem image.

But if the automount is configured or user has ability to mount the usb drive
then during mount kernel panic occurs.

No user authentication and interaction is needed in case of automount is
configured, tested with "/etc/fstab".

Just flash the attached UFS image to usb drive and plug the usb drive to
FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE, then mount it.

[Kernel Log - FreeBSD 13-CURRENT]

freebsd dumped core - see /var/crash/vmcore.4

Wed Feb 19 18:50:05 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19 01:58:08 UTC
2020     root at freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: usermode va fffffdffb39cb000

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: usermode va fffffdffb39cb000
cpuid = 0
time = 1582138127
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0039f1d3d0
vpanic() at vpanic+0x185/frame 0xfffffe0039f1d430
panic() at panic+0x43/frame 0xfffffe0039f1d490
pmap_pinit0() at pmap_pinit0/frame 0xfffffe0039f1d4a0
allocbuf() at allocbuf+0x1fc/frame 0xfffffe0039f1d500
getblkx() at getblkx+0x6d9/frame 0xfffffe0039f1d5d0
getblk() at getblk+0x22/frame 0xfffffe0039f1d600
ffs_mount() at ffs_mount+0x1be0/frame 0xfffffe0039f1d7b0
vfs_domount() at vfs_domount+0x83c/frame 0xfffffe0039f1d9e0
vfs_donmount() at vfs_donmount+0x911/frame 0xfffffe0039f1da80
sys_nmount() at sys_nmount+0x69/frame 0xfffffe0039f1dac0
amd64_syscall() at amd64_syscall+0x168/frame 0xfffffe0039f1dbf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0039f1dbf0
--- syscall (378, FreeBSD ELF64, sys_nmount), rip = 0x8002f7a1a, rsp =
0x7fffffffd3b8, rbp = 0x7fffffffd920 ---
KDB: enter: panic
Uptime: 6m53s
Dumping 262 out of 4062 MB:..7%..13%..25%..31%..43%..55%..61%..74%..86%..92%


[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list