| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Sep 2022 21:42:18 +0800
From: Baokun Li <libaokun1@...wei.com>
To: <linux-ext4@...r.kernel.org>
CC: <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.cz>,
<ritesh.list@...il.com>, <lczerner@...hat.com>,
<enwlinux@...il.com>, <linux-kernel@...r.kernel.org>,
<yi.zhang@...wei.com>, <yebin10@...wei.com>,
<chengzhihao1@...wei.com>, <yukuai3@...wei.com>,
<libaokun1@...wei.com>
Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents
If the starting position of our insert range happens to be in the hole
between the two ext4_extent_idx, because the lblk of the ext4_extent in
the previous ext4_extent_idx is always less than the start, which leads
to the "extent" variable access across the boundary, the following UAF is
triggered:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
Read of size 4 at addr ffff88819807a008 by task fallocate/8010
CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492
Call Trace:
dump_stack+0x7d/0xa3
print_address_description.constprop.0+0x1e/0x220
kasan_report.cold+0x67/0x7f
ext4_ext_shift_extents+0x257/0x790
ext4_insert_range+0x5b6/0x700
ext4_fallocate+0x39e/0x3d0
vfs_fallocate+0x26f/0x470
ksys_fallocate+0x3a/0x70
__x64_sys_fallocate+0x4f/0x60
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================
To solve this issue, when the ee_block of the last extent is less than
the start, exit the loop in advance to avoid UAF.
Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
Signed-off-by: Baokun Li <libaokun1@...wei.com>
Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
---
We can try to reproduce this problem by following the steps below:
1. Create an ext4 containing two ext4_extent_idx
mkfs.ext4 -F -O ^resize_inode,meta_bg,^sparse_super,^has_journal,^metadata_csum,quota,ea_inode -b 1024 -I 128 /dev/sda 4G
mount /dev/sda /tmp/test
touch file
dd if=/dev/urandom of=/tmp/test/file bs=1k count=800000
sync
echo 3 > /proc/sys/vm/drop_caches
2. Create a hole between two ext4_extent_idx, 528482304 is the starting position of idx2
fallocate -i -o 528482304 -l 10M /tmp/test/file
3. Keep moving right to make variable extent out of bounds
for i in `seq 0 500000`; do fallocate -i -o $[ 533725184 + 5242880 * i ] -l 10M /tmp/test/file ;done
4. Execute "drop_caches" in another window try to trigger UAF
echo 3 > /proc/sys/vm/drop_caches
fs/ext4/extents.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index c148bb97b527..25fc1f4b35a5 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5216,11 +5216,18 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
}
tmp = *iterator;
+ extent = EXT_LAST_EXTENT(path[depth].p_hdr);
if (SHIFT == SHIFT_LEFT) {
- extent = EXT_LAST_EXTENT(path[depth].p_hdr);
*iterator = le32_to_cpu(extent->ee_block) +
ext4_ext_get_actual_len(extent);
} else {
+ /*
+ * start happens to be in the hole between
+ * the two ext4_extent_idx.
+ */
+ if (le32_to_cpu(extent->ee_block) < start)
+ break;
+
extent = EXT_FIRST_EXTENT(path[depth].p_hdr);
if (le32_to_cpu(extent->ee_block) > 0)
*iterator = le32_to_cpu(extent->ee_block) - 1;
--
2.31.1
Powered by blists - more mailing lists