lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ce9130ff-b95f-e1c4-2e9f-94f0ad18b95e@huawei.com>
Date:   Mon, 22 Jun 2020 15:25:03 +0800
From:   Hou Tao <houtao1@...wei.com>
To:     Zhe Li <lizhe67@...wei.com>, <dwmw2@...radead.org>,
        <richard@....at>, <linux-mtd@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>
CC:     <zhongjubin@...wei.com>, <qiuxi1@...wei.com>,
        <wangfangpeng1@...wei.com>, <chenjie6@...wei.com>
Subject: Re: [PATCH] jffs2: fix UAF problem

Reviewed-by: Hou Tao <houtao1@...wei.com>

On 2020/6/19 17:06, Zhe Li wrote:
> The log of UAF problem is listed below.
> BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc
> Read of size 4 by task rm/8283
> =============================================================================
> BUG kmalloc-32 (Tainted: P    B      O   ): kasan: bad access detected
> -----------------------------------------------------------------------------
> 
> INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0
>         0xb0bba6ef
>         jffs2_write_dirent+0x11c/0x9c8 [jffs2]
>         __slab_alloc.isra.21.constprop.25+0x2c/0x44
>         __kmalloc+0x1dc/0x370
>         jffs2_write_dirent+0x11c/0x9c8 [jffs2]
>         jffs2_do_unlink+0x328/0x5fc [jffs2]
>         jffs2_rmdir+0x110/0x1cc [jffs2]
>         vfs_rmdir+0x180/0x268
>         do_rmdir+0x2cc/0x300
>         ret_from_syscall+0x0/0x3c
> INFO: Freed in 0x205b age=3054364 cpu=0 pid=0
>         0x2e9173
>         jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
>         jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
>         jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2]
>         jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2]
>         jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2]
>         jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2]
>         kthread+0x1a8/0x1b0
>         ret_from_kernel_thread+0x5c/0x64
> Call Trace:
> [c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable)
> [c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2]
> [c17dddd0] [c026da04] vfs_rmdir+0x180/0x268
> [c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300
> [c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c
> 
> The root cause is that we don't get "jffs2_inode_info.sem" before
> we scan list "jffs2_inode_info.dents" in function jffs2_rmdir.
> This patch add codes to get "jffs2_inode_info.sem" before we scan
> "jffs2_inode_info.dents" to slove the UAF problem.
> 
> Signed-off-by: Zhe Li <lizhe67@...wei.com>
> ---
>  fs/jffs2/dir.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
> index f20cff1..7764937 100644
> --- a/fs/jffs2/dir.c
> +++ b/fs/jffs2/dir.c
> @@ -590,10 +590,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry)
>  	int ret;
>  	uint32_t now = JFFS2_NOW();
>  
> +	mutex_lock(&f->sem);
>  	for (fd = f->dents ; fd; fd = fd->next) {
> -		if (fd->ino)
> +		if (fd->ino) {
> +			mutex_unlock(&f->sem);
>  			return -ENOTEMPTY;
> +		}
>  	}
> +	mutex_unlock(&f->sem);
>  
>  	ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name,
>  			      dentry->d_name.len, f, now);
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ