lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <59AE9CA8-074C-4971-A857-175CA0E86420@purdue.edu>
Date:   Fri, 4 Sep 2020 15:57:18 +0000
From:   "Gong, Sishuai" <sishuai@...due.edu>
To:     "tytso@....edu" <tytso@....edu>,
        "adilger.kernel@...ger.ca" <adilger.kernel@...ger.ca>
CC:     "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>,
        "Sousa da Fonseca, Pedro Jose" <pfonseca@...due.edu>
Subject: PROBLEM: potential concurrency bug in swap_inode_boot_loader()

Hi,

We found a potential concurrency bug in linux kernel 5.3.11. We were able to reproduce this bug in x86 under specific thread interleavings. This bug causes a “checksum invalid” EXT4-fs error.

------------------------------------------
Kernel console output

EXT4-fs error (device sda1): swap_inode_boot_loader:124: inode #5: comm ski-executor:iget: checksum invalid

------------------------------------------
Test input

This bug occurs when a kernel test program is executed twice in different threads and ran concurrently. Our analysis has located that it happens when syscall ioctl with the EXT4_IOC_SWAP_BOOT flag is called twice and interleaves with itself. 
The test program is generated by Syzkaller as follows:
r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0)
ioctl$FS_IOC_SETFLAGS(r0, 0x40046602, &(0x7f0000000040)) 
r1 = creat(&(0x7f0000000000)='./file0\x00', 0x0)
pwrite64(r1, &(0x7f00000000c0)='\x00', 0x1, 0x1010000)
r2 = creat(&(0x7f0000000000)='./file0\x00', 0x0)
ioctl$EXT4_IOC_SWAP_BOOT(r2, 0x6611)

------------------------------------------
Interleaving

Our analysis revealed that the following interleaving triggers the bug.
CPU0								CPU1
									swap_inode_boot_loader()
									…
										bytes = inode_bl->i_bytes;
  										inode_bl->i_blocks = inode->i_blocks;
  										inode_bl->i_bytes = inode->i_bytes;
								--->     	err = ext4_mark_inode_dirty(handle, inode_bl);

										ext4_mark_iloc_dirty() (fs/ext4/ioctl.c: 223)
											ext4_do_update_inode()
												ext4_inode_csum_set()
													ext4_has_metadata_sum()
														ext4_inode_csum()
															ext4_chksum()
																crypto_shash_update()
																	chksum_update()
									[context switch]
swap_inode_boot_loader()
	ext4_iget()
		ext4_inode_csum_verify(fs/ext4/inode.c:4927)
[EXT4-fs error]




Thanks,
Sishuai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ