| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zu+8aQBJgMn7xVws@thinkpad.lan>
Date: Sun, 22 Sep 2024 14:42:49 +0800
From: Qianqiang Liu <qianqiang.liu@....com>
To: tytso@....edu
Cc: adilger.kernel@...ger.ca,
syzbot <syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com>,
linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, qianqiang.liu@....com
Subject: [PATCH] ext4: fix out-of-bounds issue in ext4_xattr_set_entry
syzbot has found an out-of-bounds issue in ext4_xattr_set_entry:
==================================================================
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x8ce/0x1f60 fs/ext4/xattr.c:1781
Read of size 18446744073709551572 at addr ffff888036426850 by task syz-executor264/5095
CPU: 0 UID: 0 PID: 5095 Comm: syz-executor264 Not tainted 6.11.0-syzkaller-03917-ga940d9a43e62 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
ext4_xattr_set_entry+0x8ce/0x1f60 fs/ext4/xattr.c:1781
[...]
==================================================================
This issue is caused by a negative size in memmove.
We need to check for this.
Fixes: dec214d00e0d ("ext4: xattr inode deduplication")
Reported-by: syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f792df426ff0f5ceb8d1
Tested-by: syzbot+f792df426ff0f5ceb8d1@...kaller.appspotmail.com
Signed-off-by: Qianqiang Liu <qianqiang.liu@....com>
---
fs/ext4/xattr.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 46ce2f21fef9..336badb46246 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1776,7 +1776,14 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
} else if (s->not_found) {
/* Insert new name. */
size_t size = EXT4_XATTR_LEN(name_len);
- size_t rest = (void *)last - (void *)here + sizeof(__u32);
+ size_t rest;
+
+ if (last < here) {
+ ret = -ENOSPC;
+ goto out;
+ } else {
+ rest = (void *)last - (void *)here + sizeof(__u32);
+ }
memmove((void *)here + size, here, rest);
memset(here, 0, size);
--
2.34.1
--
Best,
Qianqiang Liu
Powered by blists - more mailing lists