From owner-freebsd-bugs@freebsd.org Mon Aug 14 02:07:02 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0197EDC8D38 for ; Mon, 14 Aug 2017 02:07:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E37966715C for ; Mon, 14 Aug 2017 02:07:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v7E271QH016204 for ; Mon, 14 Aug 2017 02:07:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 221501] [msdosfs] panic 11.0-RELEASE by mounting a malformed msdosfs image Date: Mon, 14 Aug 2017 02:07:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: open.source@ribose.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 02:07:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221501 Bug ID: 221501 Summary: [msdosfs] panic 11.0-RELEASE by mounting a malformed msdosfs image Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: open.source@ribose.com It is possible to panic 11.0-RELEASE by mounting a malformed msdosfs image. The malformed msdosfs image can be found at the github URL at the bottom of this message. Console output: panic: vm_fault: fault on nofault entry, addr: fffffe003d591000 cpuid =3D 0 KDB: stack backtrace: #0 0xffffffff80b24077 at kdb_backtrace+0x67 #1 0xffffffff80ad93e2 at vpanic+0x182 #2 0xffffffff80ad9253 at panic+0x43 #3 0xffffffff80e12601 at vm_fault_hold+0x2721 #4 0xffffffff80e0fe98 at vm_fault+0x78 #5 0xffffffff80fa0e39 at trap_pfault+0x78 #6 0xffffffff80fa04cc at trap+0x26c #7 0xffffffff80f84141 at calltrap+0x8 #8 0xffffffff8098e8f6 at msdosfs_mount+0x10f6 #9 0xffffffff80ba1ae0 at vfs_donmount+0xf90 #10 0xffffffff80ba0b22 at sys_nmount+0x72 #11 0xffffffff80fa168e at amd64_syscall+0x4ce #12 0xffffffff80f8442b at Xfast_syscall+0xfb Uptime: 4m39s Dumping 116 out of 991 MB dmesg: Copyright (c) 1992-2016 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu Sep 29 01:43:23 UTC 2016 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0) VT(vga): text 80x25 CPU: Intel(R) Core(TM) i7-4850HQ CPU @ 2.30GHz (2294.74-MHz K8-class CPU) Origin=3D"GenuineIntel" Id=3D0x40661 Family=3D0x6 Model=3D0x46 Steppi= ng=3D1 =20 Features=3D0x783fbff =20 Features2=3D0x5ed8220b AMD Features=3D0x28100800 AMD Features2=3D0x21 Structured Extended Features=3D0x2000 TSC: P-state invariant real memory =3D 1073676288 (1023 MB) avail memory =3D 996921344 (950 MB) Event timer "LAPIC" quality 400 ACPI APIC Table: random: unblocking device. ioapic0: Changing APIC ID to 1 ioapic0 irqs 0-23 on motherboard random: entropy device external interface kbd1 at kbdmux0 netmap: loaded module module_register_init: MOD_LOAD (vesa, 0xffffffff8101c950, 0) error 19 random: registering fast source Intel Secure Key RNG random: fast provider: "Intel Secure Key RNG" vtvga0: on motherboard cryptosoft0: on motherboard acpi0: on motherboard acpi0: Power Button (fixed) acpi0: Sleep Button (fixed) cpu0: on acpi0 attimer0: port 0x40-0x43,0x50-0x53 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-fast" frequency 3579545 Hz quality 900 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 isab0: at device 1.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd000-0xd00f at device 1.1 on pci0 ata0: at channel 0 on atapci0 ata1: at channel 1 on atapci0 vgapci0: mem 0xe0000000-0xe0ffffff irq 18 at device 2.0 on pci0 vgapci0: Boot video device em0: port 0xd010-0xd017= mem 0xf0000000-0xf001ffff irq 19 at device 3.0 on pci0 em0: Ethernet address: 08:00:27:dd:aa:53 em0: netmap queues/slots: TX 1/256, RX 1/256 ohci0: mem 0xf0804000-0xf0804fff i= rq 22 at device 6.0 on pci0 usbus0 on ohci0 pci0: at device 7.0 (no driver attached) ehci0: mem 0xf0805000-0xf0805fff = irq 19 at device 11.0 on pci0 usbus1: EHCI version 1.0 usbus1 on ehci0 battery0: on acpi0 acpi_acad0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model IntelliMouse Explorer, device ID 4 orm0: at iomem 0xc0000-0xc7fff,0xe2000-0xe2fff on isa0 vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 atrtc0: at port 0x70 irq 8 on isa0 Event timer "RTC" frequency 32768 Hz quality 0 ppc0: cannot reserve I/O port range Timecounters tick every 1.000 msec nvme cam probe device init usbus0: 12Mbps Full Speed USB v1.0 usbus1: 480Mbps High Speed USB v2.0 ugen0.1: at usbus0 uhub0: on usbus0 ugen1.1: at usbus1 uhub1: on usbus1 cd0 at ata1 bus 0 scbus1 target 0 lun 0 cd0: Removable CD-ROM SCSI device cd0: Serial Number VB2-01700376 cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes) cd0: Attempt to query device size failed: NOT READY, Medium not present ada0 at ata0 bus 0 scbus0 target 0 lun 0 ada0: ATA-6 device ada0: Serial Number VBa8519eec-bd0b8736 ada0: 33.300MB/s transfers (UDMA2, PIO 65536bytes) ada0: 16384MB (33554432 512 byte sectors) taskqgroup_adjust failed cnt: 1 stride: 1 mp_ncpus: 1 smp_started: 0 taskqgroup_adjust failed cnt: 1 stride: 1 mp_ncpus: 1 smp_started: 0 Timecounter "TSC-low" frequency 1147371524 Hz quality 1000 Trying to mount root from ufs:/dev/ada0s1a [rw]... uhub0: 12 ports with 12 removable, self powered em0: link state changed to UP uhub1: 12 ports with 12 removable, self powered A copy of the malformed msdosfs image, dmesg, and console output can be fou= nd here: https://github.com/riboseinc/fuzzbsd/tree/master/results/freebsd_11.0/msdos= /12 This submission is in response to the Ribose Retrace Challenge. The Bug Challenge encourages finding bugs (any bug AND security vulnerabilities) in well-known software (OSS / proprietary) using retrace (https://github.com/riboseinc/retrace). --=20 You are receiving this mail because: You are the assignee for the bug.=