lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-202897-13602@https.bugzilla.kernel.org/>
Date:   Wed, 13 Mar 2019 06:51:02 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...r.kernel.org
Subject: [Bug 202897] New: BUG: unable to handle kernel paging request at
 __memmove

https://bugzilla.kernel.org/show_bug.cgi?id=202897

            Bug ID: 202897
           Summary: BUG: unable to handle kernel paging request at
                    __memmove
           Product: File System
           Version: 2.5
    Kernel Version: 5.0-rc8
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: jungyeon@...ech.edu
        Regression: No

Created attachment 281787
  --> https://bugzilla.kernel.org/attachment.cgi?id=281787&action=edit
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this page fault while running attached
program.

- Produces
mkdir test
mount -t ext4 tmp.img test
gcc min_01.c
cp a.out test
cd test
./a.out

- Kernel messages
[   74.327744] BUG: unable to handle kernel paging request at ffff95f12b296000
[   74.329597] #PF error: [PROT] [WRITE]
[   74.330547] PGD 23601067 P4D 23601067 PUD 2366b2063 PMD 23541d063 PTE
800000022b296061
[   74.332538] Oops: 0003 [#1] SMP PTI
[   74.333429] CPU: 0 PID: 1158 Comm: a.out Not tainted 5.0.0-rc8+ #9
[   74.335059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[   74.337313] RIP: 0010:__memmove+0x81/0x1a0
[   74.338359] Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9
a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5
4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
[   74.343035] RSP: 0018:ffffb09a011ef938 EFLAGS: 00010207
[   74.344361] RAX: ffff95f12666a000 RBX: ffffb09a011efb40 RCX:
1fffffffff67a7fc
[   74.346163] RDX: ffffffffffffffe4 RSI: ffff95f12b296000 RDI:
ffff95f12b296000
[   74.347980] RBP: ffffb09a011efa38 R08: 0000000000000001 R09:
ffff95f1324acf00
[   74.349763] R10: ffff95f126669fdc R11: 0000000000000000 R12:
ffffb09a011efab8
[   74.351560] R13: ffff95f12666a000 R14: 00000000000003e4 R15:
0000000000000000
[   74.353343] FS:  00007fa3b7981700(0000) GS:ffff95f137a00000(0000)
knlGS:0000000000000000
[   74.355374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.356815] CR2: ffff95f12b296000 CR3: 000000022b2bc006 CR4:
00000000000206f0
[   74.358622] Call Trace:
[   74.359263]  ? ext4_xattr_set_entry+0xa55/0x1090
[   74.360447]  ? jbd2_journal_cancel_revoke+0xbf/0xf0
[   74.361696]  ? kmem_cache_alloc+0xb0/0x170
[   74.362761]  ? jbd2_journal_get_write_access+0x5b/0x70
[   74.364062]  ext4_xattr_block_set+0x37a/0xf80
[   74.365173]  ? __getblk_gfp+0x2f/0x300
[   74.366129]  ? xattr_find_entry+0x8c/0x110
[   74.367183]  ext4_xattr_set_handle+0x544/0x5f0
[   74.368315]  __ext4_set_acl+0x1aa/0x290
[   74.369293]  ext4_set_acl+0xbf/0x1f0
[   74.370210]  ? posix_acl_from_xattr+0x180/0x180
[   74.371373]  set_posix_acl+0x79/0xb0
[   74.372282]  posix_acl_xattr_set+0x84/0x90
[   74.373321]  __vfs_removexattr+0x52/0x70
[   74.374310]  vfs_removexattr+0x84/0x100
[   74.375293]  removexattr+0x55/0x80
[   74.376157]  ? __check_object_size+0x17c/0x1b0
[   74.377272]  ? strncpy_from_user+0x50/0x1b0
[   74.378323]  ? _cond_resched+0x1a/0x50
[   74.379292]  ? __sb_start_write+0x3f/0x70
[   74.380310]  ? mnt_want_write+0x2c/0x50
[   74.381284]  path_removexattr+0x9a/0xb0
[   74.382252]  __x64_sys_removexattr+0x1b/0x20
[   74.383357]  do_syscall_64+0x5a/0x110
[   74.384293]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   74.385568] RIP: 0033:0x7fa3b749c4d9
[   74.386491] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   74.391133] RSP: 002b:00007ffffd7aeb08 EFLAGS: 00000202 ORIG_RAX:
00000000000000c5
[   74.393021] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fa3b749c4d9
[   74.394822] RDX: 0000000000000000 RSI: 00007ffffd7aeb30 RDI:
00007ffffd7aeb20
[   74.396608] RBP: 00007ffffd7aeb50 R08: 00007fa3b7775ab0 R09:
00007ffffd7aec38
[   74.398392] R10: 00000000004006a0 R11: 0000000000000202 R12:
00000000004004a0
[   74.400175] R13: 00007ffffd7aec30 R14: 0000000000000000 R15:
0000000000000000
[   74.401951] Modules linked in:
[   74.402744] CR2: ffff95f12b296000
[   74.403596] ---[ end trace e7fe34a5ca4f4421 ]---
[   74.404771] RIP: 0010:__memmove+0x81/0x1a0
[   74.405815] Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9
a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5
4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
[   74.410512] RSP: 0018:ffffb09a011ef938 EFLAGS: 00010207
[   74.411833] RAX: ffff95f12666a000 RBX: ffffb09a011efb40 RCX:
1fffffffff67a7fc
[   74.413618] RDX: ffffffffffffffe4 RSI: ffff95f12b296000 RDI:
ffff95f12b296000
[   74.415419] RBP: ffffb09a011efa38 R08: 0000000000000001 R09:
ffff95f1324acf00
[   74.417211] R10: ffff95f126669fdc R11: 0000000000000000 R12:
ffffb09a011efab8
[   74.419022] R13: ffff95f12666a000 R14: 00000000000003e4 R15:
0000000000000000
[   74.420821] FS:  00007fa3b7981700(0000) GS:ffff95f137a00000(0000)
knlGS:0000000000000000
[   74.422857] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.424306] CR2: ffff95f12b296000 CR3: 000000022b2bc006 CR4:
00000000000206f0

- Primitive reason

When calling memmove at 1704, it give extreme value as count (3rd parameter).
This is because val is smaller than first_val in this case, so that the count
becomes negative number. (-28 became -xfff....ffe4 because of two's compliment)
As a result, memmove show errors while copying with huge count number.

1696     /* No failures allowed past this point. */
1697 
1698     if (!s->not_found && here->e_value_size && here->e_value_offs) {
1699         /* Remove the old value. */
1700         void *first_val = s->base + min_offs;
1701         size_t offs = le16_to_cpu(here->e_value_offs);
1702         void *val = s->base + offs;
1703 
1704         memmove(first_val + old_size, first_val, val - first_val);
1705         memset(first_val, 0, old_size);
1706         min_offs += old_size;
1707 
1708         /* Adjust all value offsets. */
1709         last = s->first;
1710         while (!IS_LAST_ENTRY(last)) {
1711             size_t o = le16_to_cpu(last->e_value_offs);
1712 
1713             if (!last->e_value_inum &&
1714                 last->e_value_size && o < offs)
1715                 last->e_value_offs = cpu_to_le16(o + old_size);
1716             last = EXT4_XATTR_NEXT(last);
1717         }
1718     }

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ