lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 03 Jul 2018 23:41:05 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...nel.org
Subject: [Bug 200401] New: Another buffer overrun in ext4_xattr_set_entry()
 when operating a corrupted ext4 image

https://bugzilla.kernel.org/show_bug.cgi?id=200401

            Bug ID: 200401
           Summary: Another buffer overrun in ext4_xattr_set_entry() when
                    operating a corrupted ext4 image
           Product: File System
           Version: 2.5
    Kernel Version: 4.18
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: wen.xu@...ech.edu
        Regression: No

Created attachment 277155
  --> https://bugzilla.kernel.org/attachment.cgi?id=277155&action=edit
The (compressed) crafted image which causes crash

- Reproduce (tested w/ dev branch)
# mkdir mnt
# mount -t ext4 final.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Kernel message
[  211.941955]
==================================================================
[  211.943725] BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x14e2/0x1990
[  211.945175] Read of size 18446744073709551604 at addr ffff8801cf4bc3f8 by
task poc/1379
[  211.946854]
[  211.947737]
[  211.948087] The buggy address belongs to the page:
[  211.949138] page:ffffea00073d2f00 count:2 mapcount:0
mapping:ffff8801e6f28610 index:0x11
[  211.950849] flags: 0x2ffff0000001074(referenced|dirty|lru|active|private)
[  211.952308] raw: 02ffff0000001074 ffff8801e6f28610 0000000000000011
00000002ffffffff
[  211.953921] raw: ffffea00073d2ee0 ffffea00073d2f60 ffff8801dc030c78
ffff8801e5212200
[  211.955548] page dumped because: kasan: bad access detected
[  211.956736] page->mem_cgroup:ffff8801e5212200
[  211.957673]
[  211.958021] Memory state around the buggy address:
[  211.959046]  ffff8801cf4bc280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  211.960581]  ffff8801cf4bc300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  211.962096] >ffff8801cf4bc380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  211.963637]                                                                
^
[  211.965106]  ffff8801cf4bc400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  211.966630]  ffff8801cf4bc480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[  211.968154]
==================================================================
[  212.070820] systemd[1]: segfault at 5593546f5010 ip 00005593546f5010 sp
00007ffd3ee613c0 error 15
[  212.073130] systemd[1]: segfault at 8f8 ip 00007f997d5f266a sp
00007ffd3ee60cb0 error 4 in libc-2.23.so[7f997d575000+1c0000]
[  212.165887] BUG: unable to handle kernel paging request at ffff8801da800000
[  212.167411] PGD ef40067 P4D ef40067 PUD ef47067 PMD 1da8e5063 PTE
80000001da800061
[  212.169039] Oops: 0003 [#1] SMP KASAN PTI
[  212.169923] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4
mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea
crct10dif_pclmul sysfillrect sysimgblt fb_sys_fops crc32_pclmul ttm drm
aesni_intel aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi
floppy
[  212.181267] CPU: 1 PID: 1379 Comm: poc Tainted: G    B            
4.17.0-rc4+ #9
[  212.182814] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  212.184864] RIP: 0010:__memmove+0x5b/0x1a0
[  212.185575] request_module: kmod_concurrent_max (0) close to 0
(max_modprobes: 50), for module binfmt-003e, throttling...
[  212.185756] RSP: 0018:ffff8801f283f0e8 EFLAGS: 00010286
[  212.189141] RAX: ffff8801cf4bc3e8 RBX: fffffffffffffff4 RCX:
ffffffffa0556472
[  212.190632] RDX: fffffffff4cbc3b4 RSI: ffff8801da800018 RDI:
ffff8801da7fffe8
[  212.192169] RBP: ffff8801f283f108 R08: 0000000000000000 R09:
0000000000000000
[  212.193679] R10: 0000000000000000 R11: 0000441f0f66ffff R12:
ffff8801cf4bc3e8
[  212.195185] R13: ffff8801cf4bc3f8 R14: ffff8801e0646d80 R15:
ffff8801f283f520
[  212.196683] FS:  00007f82fc326700(0000) GS:ffff8801f7100000(0000)
knlGS:0000000000000000
[  212.198365] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  212.199580] CR2: ffff8801da800000 CR3: 00000001f37ac000 CR4:
00000000000006e0
[  212.201120] Call Trace:
[  212.201656]  ? memmove+0x45/0x50
[  212.202351]  ext4_xattr_set_entry+0x14e2/0x1990
[  212.203351]  ? save_stack+0x46/0xd0
[  212.204102]  ? kasan_kmalloc+0xad/0xe0
[  212.204896]  ? __kmalloc+0x11f/0x240
[  212.205672]  ? ext4_expand_extra_isize_ea+0x532/0xd20
[  212.206770]  ? __ext4_expand_extra_isize+0xd4/0x100
[  212.207863]  ? ext4_mark_inode_dirty+0x3a8/0x3d0
[  212.208869]  ? syscall_return_slowpath+0x80/0xd0
[  212.209851]  ? ext4_xattr_inode_get+0x430/0x430
[  212.210809]  ? __find_get_block+0x106/0x400
[  212.211724]  ? is_bpf_text_address+0xe/0x20
[  212.212644]  ? kernel_text_address+0xd6/0xf0
[  212.213550]  ? _cond_resched+0x1a/0x50
[  212.214347]  ? __getblk_gfp+0x31/0x3f0
[  212.215169]  ? kasan_check_write+0x14/0x20
[  212.216051]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  212.217019]  ? strlen+0xf/0x40
[  212.217690]  ? xattr_find_entry+0x5b/0x140
[  212.218600]  ext4_xattr_ibody_set+0x58/0x120
[  212.219529]  ext4_expand_extra_isize_ea+0x897/0xd20
[  212.220578]  ? ext4_xattr_set+0x200/0x200
[  212.221483]  ? __getblk_gfp+0x31/0x3f0
[  212.222317]  ? mark_page_accessed+0x133/0x200
[  212.223428]  ? kasan_check_write+0x14/0x20
[  212.224306]  __ext4_expand_extra_isize+0xd4/0x100
[  212.225292]  ext4_mark_inode_dirty+0x3a8/0x3d0
[  212.226260]  ? ext4_expand_extra_isize+0x2e0/0x2e0
[  212.227298]  ? kasan_check_write+0x14/0x20
[  212.228180]  ? ext4_add_dirent_to_inline.isra.12+0x206/0x230
[  212.229389]  ? ext4_update_inline_data+0x340/0x340
[  212.230410]  ext4_try_add_inline_entry+0x16f/0x330
[  212.231686]  ? ext4_da_write_inline_data_end+0x110/0x110
[  212.232750]  ext4_add_entry+0x1d9/0x570
[  212.233536]  ? make_indexed_dir+0x940/0x940
[  212.234391]  ? jbd2__journal_start+0x19d/0x300
[  212.235401]  ? __ext4_journal_start_sb+0x89/0x180
[  212.236364]  ext4_rename+0xb01/0xd00
[  212.237109]  ? __x64_sys_rename+0x3b/0x50
[  212.237933]  ? ext4_tmpfile+0x2d0/0x2d0
[  212.238990]  ? ext4_find_entry+0x17d/0x770
[  212.239852]  ? legitimize_path.isra.28+0x61/0xa0
[  212.240835]  ? ext4_dx_find_entry+0x2c0/0x2c0
[  212.241755]  ? kasan_check_write+0x14/0x20
[  212.242613]  ? lockref_get+0xc2/0x140
[  212.243386]  ext4_rename2+0xa6/0x100
[  212.244122]  vfs_rename+0xaa5/0xde0
[  212.244838]  ? memcg_kmem_put_cache+0x55/0xa0
[  212.245719]  ? path_mountpoint+0x5b0/0x5b0
[  212.246551]  ? kasan_check_write+0x14/0x20
[  212.247403]  ? security_path_rename+0xcb/0x130
[  212.248302]  do_renameat2+0x7d2/0x860
[  212.249049]  ? user_path_create+0x40/0x40
[  212.249866]  ? lockref_put_return+0xd0/0x140
[  212.250731]  ? memset+0x31/0x40
[  212.251398]  ? handle_mm_fault+0x24b/0x380
[  212.252233]  ? __fput+0x28d/0x380
[  212.252916]  ? mm_fault_error+0x1f0/0x1f0
[  212.253738]  ? task_work_run+0x4d/0xf0
[  212.254506]  __x64_sys_rename+0x3b/0x50
[  212.255312]  do_syscall_64+0x78/0x170
[  212.256070]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  212.257095] RIP: 0033:0x7f82fbdac367
[  212.257825] RSP: 002b:00007ffcc27d23c8 EFLAGS: 00000202 ORIG_RAX:
0000000000000052
[  212.259350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f82fbdac367
[  212.260763] RDX: 0000000001a700a0 RSI: 0000000001a700a0 RDI:
0000000001a70080
[  212.262177] RBP: 00007ffcc27d2530 R08: 0000000000000003 R09:
0000000000000000
[  212.265946] R10: 0000000000000640 R11: 0000000000000202 R12:
0000000000400c20
[  212.267382] R13: 00007ffcc27d2630 R14: 0000000000000000 R15:
0000000000000000
[  212.268798] Code: 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56
08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f 4c 89 57 08 4c 89 4f 10 <4c> 89
47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90
[  212.272600] RIP: __memmove+0x5b/0x1a0 RSP: ffff8801f283f0e8
[  212.273748] CR2: ffff8801da800000
[  212.274454] ---[ end trace c7e666925cc65cc5 ]---

- Note
This is a different issue from Bugzilla 199347
https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/ext4/xattr.c#L1726
        } else if (s->not_found) {
                /* Insert new name. */
                size_t size = EXT4_XATTR_LEN(name_len);
                size_t rest = (void *)last - (void *)here + sizeof(__u32);

                memmove((void *)here + size, here, rest);
                memset(here, 0, size);
Kernel crashes at memmove with negative length

Reported by Wen Xu (wen.xu@...ech.edu) from SSLab at Gatech.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists