Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Jun 2025 10:30:54 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 287802] udf_getfid can bcopy off the end of the destination
Message-ID:  <bug-287802-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287802

            Bug ID: 287802
           Summary: udf_getfid can bcopy off the end of the destination
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In udf_getfid(), it's possible for frag_size to be negative,
interpreted by bcopy as a huge unsigned:

                frag_size = ds->size - ds->off;
                ...
                bcopy(fid, ds->buf, frag_size);

because ds->size can be zero but ds->off non-zero, from a previous
udf_getfid()'s call to

                /* Fetch the next allocation */
                ds->offset += ds->size;
                ds->size = 0;
                error = udf_readatoffset(ds->node, &ds->size, ds->offset,
                    &ds->bp, &ds->data);

Here's a demo with a corrupt UDF image:

# uname -a
FreeBSD xxx 15.0-CURRENT FreeBSD 15.0-CURRENT #29
main-n275520-a78ba87dd019-dirty: Fri May 23 17:52:21 AST 2025    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# fetch http://www.rtmrtm.org/rtm/udf53a.iso
# mdconfig -f udf53a.iso
# mount_udf /dev/md0 /mnt
# ls -l /mnt
panic: vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0126fff000

A gdb backtrace:

#0  memcpy (dst0=0xffffffc09e3fa800, src0=0xffffffd001b302d8, 
    length=18446744073709551576) at /usr/rtm/symbsd/src/sys/libkern/bcopy.c:70
#1  0xffffffc000387f6a in udf_getfid (ds=0xffffffd014b6d3a8)
    at /usr/rtm/symbsd/src/sys/fs/udf/udf_vnops.c:702
#2  0xffffffc0003878b4 in udf_readdir (a=0xffffffc082cdeab0)
    at /usr/rtm/symbsd/src/sys/fs/udf/udf_vnops.c:817

(gdb) print *ds
$35 = {node = 0xffffffd014b367f8, udfmp = 0xffffffd001b15d00, bp = 0x0, 
  data = 0xffffffd001b302b0 "\001\001(\b\225\002\005\004\200", 
  buf = 0xffffffc09e3fa800 "", fsize = 2080, off = 40, this_off = 320, 
  offset = 160, size = 0, error = 0, fid_fragment = 0}
(gdb) print frag_size
$34 = -40

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-287802-227>