Hi there, Kernel panic is observed while mouting the Unix fast filesystem image. Tested and confirmed on both OpenBSD 6.6 and -current.
Please find the below github link to get the PoC filesystem image https://github.com/bsdb0y/OpenBSD-filesystem-fuzzing-PoCs/blob/master/Filesystems/UnixFastFilesystem/during_after_mount_operation/panic_1_malloc_allocation_large/PoC/ufs.1.img [Steps to reproduce] 1. vnconfig poc_image 2. mount /dev//vndXc /mnt/some_where 3. during step 2 panic occurs [Logs given below] openbsd# vnconfig check/ufs.1.img vnd0 openbsd# mount /dev/vnd0c /mnt/check_mt/ panic: malloc: allocation too large, type = 28, size = 18446744073592113152 Stopped at db_enter+0x10: popq %rbp TID PID UID PRFLAGS PFLAGS CPU COMMAND *395363 33339 0 0x3 0 0 mount_ffs db_enter() at db_enter+0x10 panic(ffffffff81c5ca1a) at panic+0x128 malloc(fffffffff9000800,1c,1) at malloc+0x6d9 ffs_mountfs(fffffd806d1d35c0,ffff8000003ebc00,ffff80002105e768) at ffs_mountfs+ 0x503 ffs_mount(ffff8000003ebc00,ffff8000210bf810,ffff800000440080,ffff8000210bf740,f fff80002105e768) at ffs_mount+0x32b sys_mount(ffff80002105e768,ffff8000210bf900,ffff8000210bf960) at sys_mount+0x38 f syscall(ffff8000210bf9d0) at syscall+0x315 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffa240, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> show panic malloc: allocation too large, type = 28, size = 18446744073592113152 ddb> trace db_enter() at db_enter+0x10 panic(ffffffff81c5ca1a) at panic+0x128 malloc(fffffffff9000800,1c,1) at malloc+0x6d9 ffs_mountfs(fffffd806d1d35c0,ffff8000003ebc00,ffff80002105e768) at ffs_mountfs+ 0x503 ffs_mount(ffff8000003ebc00,ffff8000210bf810,ffff800000440080,ffff8000210bf740,f fff80002105e768) at ffs_mount+0x32b sys_mount(ffff80002105e768,ffff8000210bf900,ffff8000210bf960) at sys_mount+0x38 f syscall(ffff8000210bf9d0) at syscall+0x315 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7f7fffffa240, count: -8 ddb> show bcstats Current Buffer Cache status: numbufs 25157 busymapped 0, delwri 11 kvaslots 6293 avail kva slots 6293 bufpages 100622, dmapages 100622, dirtypages 44 pendingreads 0, pendingwrites 0 highflips 0, highflops 0, dmaflips 0 ddb> show uvm Current UVM status: pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12 503458 VM pages: 5737 active, 75916 inactive, 0 wired, 312169 free (38898 zer o) min 10% (25) anon, 10% (25) vnode, 5% (12) vtext freemin=16781, free-target=22374, inactive-target=0, wired-max=167819 faults=412537, traps=419904, intrs=123594, ctxswitch=32845 fpuswitch=0 softint=51465, syscalls=410736, kmapent=10 fault counts: noram=0, noanon=0, noamap=0, pgwait=0, pgrele=0 ok relocks(total)=111963(111963), anget(retries)=113236(0), amapcopy=118946 neighbor anon/obj pg=7849/137485, gets(lock/unlock)=154307/111963 cases: anon=91390, anoncow=21846, obj=147113, prcopy=7194, przero=144993 daemon and swap counts: woke=0, revs=0, scans=0, obscans=0, anscans=0 busy=0, freed=0, reactivate=0, deactivate=0 pageouts=0, pending=0, nswget=0 nswapdev=1 swpages=522114, swpginuse=0, swpgonly=0 paging=0 kernel pointers: objs(kern)=0xffffffff81f69bf0 ddb> show mount flags 22e8d0<NODEV,ASYNC,EXRDONLY,WXALLOWED,QUOTA,ROOTFS,NOATIME> vnodecovered 0x57e5894855241c33 syncer 0xec83485341575256 data 0xc95b415f415e41 5d kernel: protection fault trap, code=0 Faulted in DDB; continuing... ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND *33339 395363 59731 0 7 0x3 mount_ffs 59731 321361 56648 0 3 0x100083 wait mount 56648 470911 1 0 3 0x10008b pause ksh 78518 65396 1 0 3 0x100098 poll cron 42767 217973 1 110 3 0x100090 poll sndiod 18055 423483 1 99 3 0x100090 poll sndiod 59390 371780 90683 95 3 0x100092 kqread smtpd 32699 382669 90683 103 3 0x100092 kqread smtpd 82468 93655 90683 95 3 0x100092 kqread smtpd 96062 387808 90683 95 3 0x100092 kqread smtpd 82543 399355 90683 95 3 0x100092 kqread smtpd 41105 183299 90683 95 3 0x100092 kqread smtpd 90683 419896 1 0 3 0x100080 kqread smtpd 18673 332702 1 0 3 0x80 select sshd 62337 359888 1 0 3 0x100080 poll ntpd 49748 319923 30404 83 3 0x100092 poll ntpd 30404 513057 1 83 3 0x100092 poll ntpd 11218 291425 25866 74 3 0x100092 bpf pflogd 25866 304395 1 0 3 0x80 netio pflogd 66531 200265 24644 73 3 0x100090 kqread syslogd 24644 364794 1 0 3 0x100082 netio syslogd 1799 133494 1 77 3 0x100090 poll dhclient 21385 331227 1 0 3 0x80 poll dhclient 18744 237550 4783 115 3 0x100092 kqread slaacd 47616 440410 4783 115 3 0x100092 kqread slaacd 4783 20355 1 0 3 0x100080 kqread slaacd 34841 390296 0 0 3 0x14200 bored smr 65373 324426 0 0 2 0x14200 zerothread 6239 510596 0 0 3 0x14200 aiodoned aiodoned 12263 59707 0 0 3 0x14200 syncer update 36475 499439 0 0 3 0x14200 cleaner cleaner 13941 291457 0 0 3 0x14200 reaper reaper 31303 397576 0 0 3 0x14200 pgdaemon pagedaemon 50266 116365 0 0 3 0x14200 bored crynlk 70555 214068 0 0 3 0x14200 bored crypto 25802 189370 0 0 3 0x14200 bored softnet 2350 285587 0 0 3 0x14200 bored systqmp 84258 356464 0 0 3 0x14200 bored systq 4619 181332 0 0 3 0x40014200 bored softclock 71448 255821 0 0 3 0x40014200 idle0 1 458094 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> ddb> show registers rdi 0xffffffff81f16aa8 kprintf_mutex rsi 0x5 rbp 0xffff8000210bf3a0 rbx 0xffff8000210bf450 rdx 0x3fd rcx 0x7e000000000001f9 rax 0x1 r8 0xffff8000210bf360 r9 0xffff8000210bf2b5 r10 0xe8e13c7624e2cc0f r11 0xa8ca730784ef0dfc r12 0x3000000008 r13 0xffff8000210bf3b0 r14 0x100 r15 0xffffffff81c5ca1a cmd0646_9_tim_udma+0x16335 rip 0xffffffff81670270 db_enter+0x10 cs 0x8 rflags 0x286 rsp 0xffff8000210bf3a0 ss 0x10 db_enter+0x10: popq %rbp ddb> openbsd# dmesg OpenBSD 6.6-current (GENERIC) #12: Wed Feb 26 12:56:24 MST 2020 [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2130698240 (2031MB) avail mem = 2053681152 (1958MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf3f40 (10 entries) bios0: vendor SeaBIOS version "1.11.0p2-OpenBSD-vmm" date 01/01/2011 bios0: OpenBSD VMM acpi at bios0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz, 2904.64 MHz, 06-8e-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,CX8,SEP,PGE,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,RDSEED,ADX,SMAP,CLFLUSHOPT,MD_CLEAR,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: using VERW MDS workaround pvbus0 at mainbus0: OpenBSD pvclock0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio0 virtio0: irq 3 virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio1: address fe:e1:bb:d1:f7:05 virtio1: irq 5 virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio2 scsibus1 at vioblk0: 2 targets sd0 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, > sd0: 51200MB, 512 bytes/sector, 104857600 sectors virtio2: irq 6 virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 vmmci0 at virtio3 virtio3: irq 7 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo com0: console vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (c476a2cf4c17493c.a) swap on sd0b dump on sd0b WARNING: / was not properly unmounted Please confirm and let me know for any requirements. Regards, Neeraj
