lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 21 Sep 2022 21:42:18 +0800
From:   Baokun Li <libaokun1@...wei.com>
To:     <linux-ext4@...r.kernel.org>
CC:     <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.cz>,
        <ritesh.list@...il.com>, <lczerner@...hat.com>,
        <enwlinux@...il.com>, <linux-kernel@...r.kernel.org>,
        <yi.zhang@...wei.com>, <yebin10@...wei.com>,
        <chengzhihao1@...wei.com>, <yukuai3@...wei.com>,
        <libaokun1@...wei.com>
Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents

If the starting position of our insert range happens to be in the hole
between the two ext4_extent_idx, because the lblk of the ext4_extent in
the previous ext4_extent_idx is always less than the start, which leads
to the "extent" variable access across the boundary, the following UAF is
triggered:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
Read of size 4 at addr ffff88819807a008 by task fallocate/8010
CPU: 3 PID: 8010 Comm: fallocate Tainted: G            E     5.10.0+ #492
Call Trace:
 dump_stack+0x7d/0xa3
 print_address_description.constprop.0+0x1e/0x220
 kasan_report.cold+0x67/0x7f
 ext4_ext_shift_extents+0x257/0x790
 ext4_insert_range+0x5b6/0x700
 ext4_fallocate+0x39e/0x3d0
 vfs_fallocate+0x26f/0x470
 ksys_fallocate+0x3a/0x70
 __x64_sys_fallocate+0x4f/0x60
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================

To solve this issue, when the ee_block of the last extent is less than
the start, exit the loop in advance to avoid UAF.

Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
Signed-off-by: Baokun Li <libaokun1@...wei.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
---
We can try to reproduce this problem by following the steps below:
1. Create an ext4 containing two ext4_extent_idx
 mkfs.ext4 -F -O ^resize_inode,meta_bg,^sparse_super,^has_journal,^metadata_csum,quota,ea_inode -b 1024 -I 128 /dev/sda 4G
 mount /dev/sda /tmp/test
 touch file
 dd if=/dev/urandom of=/tmp/test/file bs=1k count=800000
 sync
 echo 3 > /proc/sys/vm/drop_caches

2. Create a hole between two ext4_extent_idx, 528482304 is the starting position of idx2
 fallocate -i -o 528482304 -l 10M /tmp/test/file

3. Keep moving right to make variable extent out of bounds
 for i in `seq 0 500000`; do fallocate -i -o $[ 533725184 + 5242880 * i ] -l 10M /tmp/test/file ;done

4. Execute "drop_caches" in another window try to trigger UAF
 echo 3 > /proc/sys/vm/drop_caches

 fs/ext4/extents.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index c148bb97b527..25fc1f4b35a5 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5216,11 +5216,18 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
 		}
 
 		tmp = *iterator;
+		extent = EXT_LAST_EXTENT(path[depth].p_hdr);
 		if (SHIFT == SHIFT_LEFT) {
-			extent = EXT_LAST_EXTENT(path[depth].p_hdr);
 			*iterator = le32_to_cpu(extent->ee_block) +
 					ext4_ext_get_actual_len(extent);
 		} else {
+			/*
+			 * start happens to be in the hole between
+			 * the two ext4_extent_idx.
+			 */
+			if (le32_to_cpu(extent->ee_block) < start)
+				break;
+
 			extent = EXT_FIRST_EXTENT(path[depth].p_hdr);
 			if (le32_to_cpu(extent->ee_block) > 0)
 				*iterator = le32_to_cpu(extent->ee_block) - 1;
-- 
2.31.1

Powered by blists - more mailing lists