lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <166450797717.256913.12979997291945870141.b4-ty@mit.edu>
Date:   Thu, 29 Sep 2022 23:19:37 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     linux-ext4@...r.kernel.org, libaokun1@...wei.com
Cc:     "Theodore Ts'o" <tytso@....edu>, lczerner@...hat.com,
        chengzhihao1@...wei.com, enwlinux@...il.com,
        linux-kernel@...r.kernel.org, ritesh.list@...il.com,
        stable@...r.kernel.org, adilger.kernel@...ger.ca,
        yebin10@...wei.com, jack@...e.cz, yi.zhang@...wei.com,
        yukuai3@...wei.com
Subject: Re: [PATCH v2] ext4: fix use-after-free in ext4_ext_shift_extents

On Thu, 22 Sep 2022 20:04:34 +0800, Baokun Li wrote:
> If the starting position of our insert range happens to be in the hole
> between the two ext4_extent_idx, because the lblk of the ext4_extent in
> the previous ext4_extent_idx is always less than the start, which leads
> to the "extent" variable access across the boundary, the following UAF is
> triggered:
> ==================================================================
> BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
> Read of size 4 at addr ffff88819807a008 by task fallocate/8010
> CPU: 3 PID: 8010 Comm: fallocate Tainted: G            E     5.10.0+ #492
> Call Trace:
>  dump_stack+0x7d/0xa3
>  print_address_description.constprop.0+0x1e/0x220
>  kasan_report.cold+0x67/0x7f
>  ext4_ext_shift_extents+0x257/0x790
>  ext4_insert_range+0x5b6/0x700
>  ext4_fallocate+0x39e/0x3d0
>  vfs_fallocate+0x26f/0x470
>  ksys_fallocate+0x3a/0x70
>  __x64_sys_fallocate+0x4f/0x60
>  do_syscall_64+0x33/0x40
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> ==================================================================
> 
> [...]

Applied, thanks!

[1/1] ext4: fix use-after-free in ext4_ext_shift_extents
      (no commit info)

Best regards,
-- 
Theodore Ts'o <tytso@....edu>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ