| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-199403-13602@https.bugzilla.kernel.org/>
Date: Mon, 16 Apr 2018 01:42:05 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 199403] New: use-after-free in ext4_ext_remove_space() when
mounting and operating a crafted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=199403
Bug ID: 199403
Summary: use-after-free in ext4_ext_remove_space() when
mounting and operating a crafted ext4 image
Product: File System
Version: 2.5
Kernel Version: 4.16
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@...nel-bugs.osdl.org
Reporter: wen.xu@...ech.edu
Regression: No
Created attachment 275387
--> https://bugzilla.kernel.org/attachment.cgi?id=275387&action=edit
The crafted image which causes kernel panic
- Overview
use-after-free in ext4_ext_remove_space() when mounting and operating a crafted
ext4 image
- Reproduce
I feel it has higher probability to trigger the bug using VM with 1 or 2 cores.
# mkdir mnt
# mount -t ext4 65.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
I reproduce it on both ext4 dev branch and latest linux kernel branch. With
latest linux kernel branch, use-after-free is detected in
jbd2_journal_commit_transaction.
- Kernel Dump (ext4 dev branch, 4.16.0-rc1)
[ 262.536008]
==================================================================
[ 262.537223] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x563/0x1d40
[ 262.538275] Read of size 4 at addr ffff8800691c72ac by task poc/1791
[ 262.539507] CPU: 1 PID: 1791 Comm: poc Not tainted 4.16.0-rc1+ #3
[ 262.539511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 262.539514] Call Trace:
[ 262.539536] dump_stack+0x63/0x8d
[ 262.539546] print_address_description+0x70/0x290
[ 262.539869] kasan_report+0x290/0x390
[ 262.539887] ? ext4_ext_remove_space+0x563/0x1d40
[ 262.539900] __asan_load4+0x78/0x80
[ 262.539906] ext4_ext_remove_space+0x563/0x1d40
[ 262.539913] ? ext4_es_free_extent+0x109/0x210
[ 262.539919] ? __kasan_slab_free+0x153/0x1a0
[ 262.539926] ? kmem_cache_free+0x7c/0x1f0
[ 262.539933] ? ext4_es_free_extent+0x109/0x210
[ 262.539939] ? ext4_ext_index_trans_blocks+0x70/0x70
[ 262.539946] ? ext4_es_scan+0x1c0/0x1c0
[ 262.539954] ext4_ext_truncate+0xd2/0xe0
[ 262.539962] ext4_truncate+0x5e7/0x760
[ 262.539968] ? ext4_punch_hole+0x680/0x680
[ 262.539975] ? ext4_empty_dir+0x420/0x420
[ 262.539981] ext4_setattr+0x869/0xe00
[ 262.539991] notify_change+0x4d8/0x670
[ 262.539998] do_truncate+0xe8/0x160
[ 262.540002] ? do_truncate+0xe8/0x160
[ 262.540007] ? file_open_root+0x1c0/0x1c0
[ 262.540016] ? common_perm+0x1c0/0x1c0
[ 262.540026] path_openat+0x5fb/0x1e30
[ 262.540034] ? __save_stack_trace+0x92/0x100
[ 262.540042] ? vfs_link+0x4e0/0x4e0
[ 262.540048] ? kasan_kmalloc+0xad/0xe0
[ 262.540053] ? kmem_cache_alloc+0xbb/0x1d0
[ 262.540059] ? getname_flags+0x76/0x2c0
[ 262.540064] ? getname+0x12/0x20
[ 262.540069] ? do_sys_open+0x14b/0x2c0
[ 262.540073] ? SyS_open+0x1e/0x20
[ 262.540082] ? do_syscall_64+0xf2/0x1f0
[ 262.540091] ? entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.540097] ? mb_free_blocks+0xa40/0xa40
[ 262.540104] ? rcu_segcblist_enqueue+0x79/0x90
[ 262.540111] ? call_rcu_sched+0x17/0x20
[ 262.540118] do_filp_open+0x12b/0x1d0
[ 262.540124] ? may_open_dev+0x50/0x50
[ 262.540131] ? kasan_kmalloc+0xad/0xe0
[ 262.540138] do_sys_open+0x17c/0x2c0
[ 262.540143] ? do_sys_open+0x17c/0x2c0
[ 262.540148] ? filp_open+0x60/0x60
[ 262.540155] ? mem_cgroup_handle_over_high+0x21/0xd0
[ 262.540160] ? do_sys_open+0x2c0/0x2c0
[ 262.540165] SyS_open+0x1e/0x20
[ 262.540170] do_syscall_64+0xf2/0x1f0
[ 262.540177] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.540182] RIP: 0033:0x7f1c856dc040
[ 262.540185] RSP: 002b:00007ffe6287d778 EFLAGS: 00000246 ORIG_RAX:
0000000000000002
[ 262.540191] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f1c856dc040
[ 262.540194] RDX: 00000000000001ff RSI: 0000000000000202 RDI:
0000000001d6e080
[ 262.540197] RBP: 00007ffe6287d8e0 R08: 0000000000000003 R09:
0000000000000000
[ 262.540200] R10: 0000000000000463 R11: 0000000000000246 R12:
0000000000400c20
[ 262.540203] R13: 00007ffe6287d9e0 R14: 0000000000000000 R15:
0000000000000000
[ 262.540517] Allocated by task 1:
[ 262.541033] save_stack+0x46/0xd0
[ 262.541039] kasan_kmalloc+0xad/0xe0
[ 262.541044] kasan_slab_alloc+0x12/0x20
[ 262.541049] kmem_cache_alloc+0xbb/0x1d0
[ 262.541054] getname_flags+0x76/0x2c0
[ 262.541060] user_path_at_empty+0x23/0x40
[ 262.541064] vfs_statx+0xce/0x160
[ 262.541068] SYSC_newstat+0x8c/0xe0
[ 262.541072] SyS_newstat+0xe/0x10
[ 262.541077] do_syscall_64+0xf2/0x1f0
[ 262.541082] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.541332] Freed by task 1:
[ 262.541793] save_stack+0x46/0xd0
[ 262.541799] __kasan_slab_free+0x13e/0x1a0
[ 262.541803] kasan_slab_free+0xe/0x10
[ 262.541808] kmem_cache_free+0x7c/0x1f0
[ 262.541813] putname+0x80/0x90
[ 262.541818] filename_lookup+0x191/0x280
[ 262.541824] user_path_at_empty+0x36/0x40
[ 262.541827] vfs_statx+0xce/0x160
[ 262.541831] SYSC_newstat+0x8c/0xe0
[ 262.541835] SyS_newstat+0xe/0x10
[ 262.541840] do_syscall_64+0xf2/0x1f0
[ 262.541845] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.542098] The buggy address belongs to the object at ffff8800691c6600
which belongs to the cache names_cache of size 4096
[ 262.544011] The buggy address is located 3244 bytes inside of
4096-byte region [ffff8800691c6600, ffff8800691c7600)
[ 262.545840] The buggy address belongs to the page:
[ 262.546585] page:ffffea0001a47000 count:1 mapcount:0 mapping:
(null) index:0x0 compound_mapcount: 0
[ 262.548082] flags: 0x1ffff0000008100(slab|head)
[ 262.548808] raw: 01ffff0000008100 0000000000000000 0000000000000000
0000000100070007
[ 262.550017] raw: dead000000000100 dead000000000200 ffff88006ce261c0
0000000000000000
[ 262.551212] page dumped because: kasan: bad access detected
[ 262.552329] Memory state around the buggy address:
[ 262.553098] ffff8800691c7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 262.554213] ffff8800691c7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 262.555328] >ffff8800691c7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 262.556450] ^
[ 262.557161] ffff8800691c7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 262.558283] ffff8800691c7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 262.559402]
==================================================================
[ 262.560528] Disabling lock debugging due to kernel taint
[ 262.562799] EXT4-fs error (device loop0): ext4_free_blocks:4750: comm poc:
Freeing blocks not in datazone - block = 281473316796022, count = 2048
[ 262.599249] EXT4-fs error (device loop0): ext4_free_blocks:4750: comm poc:
Freeing blocks not in datazone - block = 172790829285375, count = 19214
[ 262.627928] EXT4-fs error (device loop0): ext4_free_blocks:4750: comm poc:
Freeing blocks not in datazone - block = 281472445215392, count = 2048
[ 262.660030] EXT4-fs error (device loop0): ext4_free_blocks:4750: comm poc:
Freeing blocks not in datazone - block = 109684874774528, count = 14080
[ 262.688922] ------------[ cut here ]------------
[ 262.688932] kernel BUG at fs/buffer.c:3058!
[ 262.689627] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 262.690387] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid
i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl
drm_kms_helper syscopyarea sysfillrect aesni_intel sysimgblt fb_sys_fops ttm
drm aes_x86_64 crypto_simd 8139cp cryptd glue_helper mii floppy pata_acpi
[ 262.698496] CPU: 0 PID: 1791 Comm: poc Tainted: G B
4.16.0-rc1+ #3
[ 262.699642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 262.701111] RIP: 0010:submit_bh_wbc+0x2c2/0x2f0
[ 262.701818] RSP: 0018:ffff88006969f6a8 EFLAGS: 00010246
[ 262.702632] RAX: 0000000000000004 RBX: ffff8800649e1e70 RCX:
ffffffff9d40aa2d
[ 262.703728] RDX: dffffc0000000000 RSI: 0000000000000000 RDI:
ffff8800649e1e70
[ 262.704837] RBP: ffff88006969f6f0 R08: 0000000000000000 R09:
ffff88006477baa8
[ 262.705940] R10: 00000000eaef9492 R11: ffffed000d2d3e0b R12:
ffff88006969f7f8
[ 262.707043] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 262.708144] FS: 00007f1c85bca700(0000) GS:ffff88006d000000(0000)
knlGS:0000000000000000
[ 262.709398] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 262.710290] CR2: 00007ff5c401d0d8 CR3: 000000006a948000 CR4:
00000000000006f0
[ 262.711395] Call Trace:
[ 262.711792] ll_rw_block+0x9b/0xe0
[ 262.712338] __block_write_begin_int+0x7f8/0x940
[ 262.713075] ? _ext4_get_block+0x290/0x290
[ 262.713726] ? __breadahead+0xd0/0xd0
[ 262.714318] ? jbd2__journal_start+0x19d/0x300
[ 262.715028] __block_write_begin+0x11/0x20
[ 262.715677] ext4_write_begin+0x334/0x780
[ 262.716313] ? ext4_truncate+0x760/0x760
[ 262.716945] ? update_stack_state+0x27c/0x3e0
[ 262.717637] generic_perform_write+0x192/0x310
[ 262.718339] ? generic_write_checks+0x1f0/0x1f0
[ 262.719053] ? file_update_time+0x1e9/0x240
[ 262.719715] ? current_time+0x80/0x80
[ 262.720300] ? is_bpf_text_address+0xe/0x20
[ 262.720974] __generic_file_write_iter+0x261/0x2e0
[ 262.721735] ext4_file_write_iter+0x1dd/0x7e0
[ 262.722426] ? ext4_file_mmap+0x150/0x150
[ 262.723067] ? save_stack+0x46/0xd0
[ 262.723628] ? __kasan_slab_free+0x13e/0x1a0
[ 262.724303] ? kasan_slab_free+0xe/0x10
[ 262.724927] ? kmem_cache_free+0x7c/0x1f0
[ 262.725571] ? aa_file_perm+0xdb/0x570
[ 262.726172] ? SyS_open+0x1e/0x20
[ 262.726710] ? do_syscall_64+0xf2/0x1f0
[ 262.727323] ? entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.728152] ? aa_path_link+0x210/0x210
[ 262.728775] ? iov_iter_init+0x82/0xc0
[ 262.729376] __vfs_write+0x294/0x3f0
[ 262.729950] ? kernel_read+0xa0/0xa0
[ 262.730523] ? may_open_dev+0x50/0x50
[ 262.731109] ? common_file_perm+0xca/0x220
[ 262.731763] ? rw_verify_area+0x78/0x140
[ 262.732401] vfs_write+0xf9/0x260
[ 262.732939] SyS_write+0xb4/0x140
[ 262.733474] ? SyS_read+0x140/0x140
[ 262.734035] ? SyS_read+0x140/0x140
[ 262.734596] do_syscall_64+0xf2/0x1f0
[ 262.735189] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 262.735987] RIP: 0033:0x7f1c856dc2c0
[ 262.736562] RSP: 002b:00007ffe6287d778 EFLAGS: 00000246 ORIG_RAX:
0000000000000001
[ 262.737740] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f1c856dc2c0
[ 262.738849] RDX: 0000000000008000 RSI: 0000000000602140 RDI:
0000000000000003
[ 262.739962] RBP: 00007ffe6287d8e0 R08: 0000000000000003 R09:
0000000000000000
[ 262.741078] R10: 0000000000000463 R11: 0000000000000246 R12:
0000000000400c20
[ 262.742176] R13: 00007ffe6287d9e0 R14: 0000000000000000 R15:
0000000000000000
[ 262.743284] Code: 0f 45 e8 45 09 f5 e8 ee 38 f6 ff 45 89 6c 24 10 4c 89 e7
e8 b1 cd 3a 00 48 83 c4 20 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b <0f> 0b
48 8d 43 20 48 89 45 d0 48 8d 43 10 48 89 45 b8 e9 44 fe
[ 262.746250] RIP: submit_bh_wbc+0x2c2/0x2f0 RSP: ffff88006969f6a8
[ 262.747236] ---[ end trace c4bccbf286b60fa8 ]---
Reported by Wen Xu at SSLab, Gatech
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists