lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zu+8aQBJgMn7xVws@thinkpad.lan> Date: Sun, 22 Sep 2024 14:42:49 +0800 From: Qianqiang Liu <qianqiang.liu@....com> To: tytso@....edu Cc: adilger.kernel@...ger.ca, syzbot <syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com>, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, qianqiang.liu@....com Subject: [PATCH] ext4: fix out-of-bounds issue in ext4_xattr_set_entry syzbot has found an out-of-bounds issue in ext4_xattr_set_entry: ================================================================== BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x8ce/0x1f60 fs/ext4/xattr.c:1781 Read of size 18446744073709551572 at addr ffff888036426850 by task syz-executor264/5095 CPU: 0 UID: 0 PID: 5095 Comm: syz-executor264 Not tainted 6.11.0-syzkaller-03917-ga940d9a43e62 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memmove+0x29/0x70 mm/kasan/shadow.c:94 ext4_xattr_set_entry+0x8ce/0x1f60 fs/ext4/xattr.c:1781 [...] ================================================================== This issue is caused by a negative size in memmove. We need to check for this. Fixes: dec214d00e0d ("ext4: xattr inode deduplication") Reported-by: syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f792df426ff0f5ceb8d1 Tested-by: syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com Signed-off-by: Qianqiang Liu <qianqiang.liu@....com> --- fs/ext4/xattr.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 46ce2f21fef9..336badb46246 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1776,7 +1776,14 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, } else if (s->not_found) { /* Insert new name. */ size_t size = EXT4_XATTR_LEN(name_len); - size_t rest = (void *)last - (void *)here + sizeof(__u32); + size_t rest; + + if (last < here) { + ret = -ENOSPC; + goto out; + } else { + rest = (void *)last - (void *)here + sizeof(__u32); + } memmove((void *)here + size, here, rest); memset(here, 0, size); -- 2.34.1 -- Best, Qianqiang Liu
Powered by blists - more mailing lists