| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-215838-13602@https.bugzilla.kernel.org/>
Date: Thu, 14 Apr 2022 19:28:46 +0000
From: bugzilla-daemon@...nel.org
To: linux-ext4@...r.kernel.org
Subject: [Bug 215838] New: FUZZ: KASAN: use-after-free in
fs/ext4/namei.c:ext4_insert_dentry() when mount and operate on a corrupted
image
https://bugzilla.kernel.org/show_bug.cgi?id=215838
Bug ID: 215838
Summary: FUZZ: KASAN: use-after-free in
fs/ext4/namei.c:ext4_insert_dentry() when mount and
operate on a corrupted image
Product: File System
Version: 2.5
Kernel Version: 5.18-rc1, 5.4.171
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@...nel-bugs.osdl.org
Reporter: wenqingliu0120@...il.com
Regression: No
Created attachment 300760
--> https://bugzilla.kernel.org/attachment.cgi?id=300760&action=edit
poc and .config
- Overview
KASAN: use-after-free in fs/ext4/namei.c:ext4_insert_dentry() when mount and
operate on a corrupted image
- Reproduce
tested on kernel 5.18-rc1, 5.4.X
# mkdir test_crash
# cd test_crash
# unzip tmp42.zip
# mkdir mnt
# ./single_test.sh ext4 42
Sometimes need to unzip the file again and ran several times to reproduce
- Kernel dump
[ 188.103345] loop6: detected capacity change from 0 to 32768
[ 188.156064] EXT4-fs (loop6): mounted filesystem with ordered data mode.
Quota mode: none.
[ 188.158361] ext4 filesystem being mounted at /home/wq/test_crashes/mnt
supports timestamps until 2038 (0x7fffffff)
[ 188.296756]
==================================================================
[ 188.298129] BUG: KASAN: use-after-free in ext4_insert_dentry+0x37c/0x650
[ 188.300278] Write of size 96 at addr ffff888147adeffc by task tmp42/1272
[ 188.303236] CPU: 2 PID: 1272 Comm: tmp42 Tainted: G D
5.18.0-rc1 #1
[ 188.304687] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 188.306164] Call Trace:
[ 188.307646] <TASK>
[ 188.309062] dump_stack_lvl+0x45/0x5a
[ 188.310454] print_report.cold+0xef/0x67b
[ 188.311799] ? ext4_insert_dentry+0x37c/0x650
[ 188.313123] kasan_report+0xa9/0x120
[ 188.314513] ? ext4_insert_dentry+0x37c/0x650
[ 188.315834] kasan_check_range+0x140/0x1b0
[ 188.317135] memcpy+0x39/0x60
[ 188.318420] ext4_insert_dentry+0x37c/0x650
[ 188.319709] add_dirent_to_buf+0x201/0x8a0
[ 188.321023] ? ext4_handle_dirty_dirblock+0x450/0x450
[ 188.322385] ? ext4_insert_dentry+0x650/0x650
[ 188.323661] ? __ext4_journal_get_write_access+0x17c/0x3b0
[ 188.324932] ext4_dx_add_entry+0x31b/0x2d30
[ 188.326221] ? __ext4_handle_dirty_metadata+0xdd/0x670
[ 188.327453] ? add_dirent_to_buf+0x8a0/0x8a0
[ 188.328674] ? ext4_mark_iloc_dirty+0x55b/0x19d0
[ 188.329921] ? ext4_reserve_inode_write+0x157/0x220
[ 188.331130] ext4_add_entry+0x5f2/0xa90
[ 188.332425] ? ext4_expand_extra_isize+0x540/0x540
[ 188.333742] ? make_indexed_dir+0x10f0/0x10f0
[ 188.335031] ? ext4_init_new_dir+0x2e8/0x410
[ 188.336230] ext4_mkdir+0x368/0x920
[ 188.337373] ? ext4_init_new_dir+0x410/0x410
[ 188.338545] ? from_kgid+0x84/0xc0
[ 188.339644] vfs_mkdir+0x498/0x800
[ 188.340728] do_mkdirat+0x1c1/0x230
[ 188.341799] ? do_file_open_root+0x3e0/0x3e0
[ 188.342825] ? getname_flags+0xfd/0x4e0
[ 188.343827] __x64_sys_mkdir+0x61/0x80
[ 188.344795] do_syscall_64+0x38/0x90
[ 188.345759] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 188.346699] RIP: 0033:0x7f24fdc5076d
[ 188.347629] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
[ 188.349559] RSP: 002b:00007ffe582e1108 EFLAGS: 00000217 ORIG_RAX:
0000000000000053
[ 188.350493] RAX: ffffffffffffffda RBX: 58666e5745624249 RCX:
00007f24fdc5076d
[ 188.351401] RDX: 00007f24fdc5076d RSI: ffffffffffffff80 RDI:
00007ffe582e1650
[ 188.352313] RBP: 00007ffe582e5860 R08: 00007ffe582e5958 R09:
00007ffe582e5958
[ 188.353208] R10: 00007ffe582e5958 R11: 0000000000000217 R12:
756d685933654469
[ 188.354109] R13: 00007ffe582e5950 R14: 4554477647466448 R15:
4e54356e77513250
[ 188.354958] </TASK>
[ 188.356588] The buggy address belongs to the physical page:
[ 188.357409] page:0000000079ad8a85 refcount:2 mapcount:0
mapping:00000000b7222df2 index:0x97 pfn:0x147ade
[ 188.358294] memcg:ffff8881250b8000
[ 188.359118] aops:def_blk_aops ino:700006
[ 188.359928] flags:
0x17ffffc0002032(referenced|lru|active|private|node=0|zone=2|lastcpupid=0x1fffff)
[ 188.360791] raw: 0017ffffc0002032 ffffea00051a5008 ffffea00051eb548
ffff888100480b80
[ 188.361686] raw: 0000000000000097 ffff88810b1c87e0 00000002ffffffff
ffff8881250b8000
[ 188.362561] page dumped because: kasan: bad access detected
[ 188.364302] Memory state around the buggy address:
[ 188.365189] ffff888147adef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 188.366115] ffff888147adef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 188.367012] >ffff888147adf000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[ 188.367924] ^
[ 188.368835] ffff888147adf080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[ 188.369794] ffff888147adf100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff
[ 188.370723]
==================================================================
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists