lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFcO6XNahP3+SznC_JbP753agRKLEeQm7Rxj2kLFWJCA117t-g@mail.gmail.com>
Date:   Thu, 16 Feb 2023 16:58:40 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     clm@...com, Josef Bacik <josef@...icpanda.com>, dsterba@...e.com
Cc:     linux-btrfs@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: KASAN: A use-after-free bug in btrfsic_print_rem_link

Hi, there is a use-after-free bug in btrfsic_print_rem_link in
fs/btrfs/check-integrity.c. in the latest kernel and I reproduce it on
the 6.2.0-rc8 kernel.

Briefly describe it, when call btrfsic_unmount to unmount, there would
free blocks and block_links
btrfsic_unmount
```
void btrfsic_unmount(struct btrfs_fs_devices *fs_devices)
{
........
/*
* Don't care about keeping the lists' state up to date,
* just free all memory that was allocated dynamically.
* Free the blocks and the block_links.
*/
list_for_each_entry_safe(b_all, tmp_all, &state->all_blocks_list,
all_blocks_node) {
struct btrfsic_block_link *l, *tmp;

list_for_each_entry_safe(l, tmp, &b_all->ref_to_list,
node_ref_to) {
if (state->print_mask & BTRFSIC_PRINT_MASK_VERBOSE)
btrfsic_print_rem_link(state, l);  ///// [1]

l->ref_cnt--;
if (0 == l->ref_cnt)
btrfsic_block_link_free(l);
}
.......

```
[1] if state->print_mask was set. it would call
btrfsic_print_rem_link to print data.

```
static void btrfsic_print_rem_link(const struct btrfsic_state *state,
   const struct btrfsic_block_link *l)
{
pr_info("rem %u* link from %c @%llu (%pg/%llu/%d) to %c @%llu (%pg/%llu/%d)\n",
       l->ref_cnt,
       btrfsic_get_block_type(state, l->block_ref_from),
       l->block_ref_from->logical_bytenr,
       l->block_ref_from->dev_state->bdev,
       l->block_ref_from->dev_bytenr, l->block_ref_from->mirror_num,
       btrfsic_get_block_type(state, l->block_ref_to),
       l->block_ref_to->logical_bytenr,
       l->block_ref_to->dev_state->bdev, l->block_ref_to->dev_bytenr,
       l->block_ref_to->mirror_num);
}
```
but there occurs a UAF or NULL-pointer-dereference bug.

##crash log
#KASAN open.
==================================================================
BUG: KASAN: use-after-free in btrfsic_print_rem_link+0xd1/0x26f
fs/btrfs/check-integrity.c:2391
Read of size 8 at addr ffff888024ad0a08 by task syz-executor.2/8047

CPU: 0 PID: 8047 Comm: syz-executor.2 Not tainted 6.2.0-rc8 #130
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:306 [inline]
 print_report+0x15e/0x45d mm/kasan/report.c:417
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
 btrfsic_print_rem_link+0xd1/0x26f fs/btrfs/check-integrity.c:2391
 btrfsic_unmount.cold+0x10/0xfc fs/btrfs/check-integrity.c:2846
 close_ctree+0xdba/0xe3d fs/btrfs/disk-io.c:4821
 generic_shutdown_super+0x158/0x410 fs/super.c:492
 kill_anon_super+0x3a/0x60 fs/super.c:1086
 btrfs_kill_super+0x3c/0x50 fs/btrfs/super.c:2132
 deactivate_locked_super+0x98/0x160 fs/super.c:332
 deactivate_super+0xb1/0xd0 fs/super.c:363
 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1821e9202b
Code: Unable to access opcode bytes at 0x7f1821e92001.
RSP: 002b:00007fff08141548 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f1821e9202b
RDX: 00007f1821e28980 RSI: 000000000000000a RDI: 00007fff08141610
RBP: 00007fff08141610 R08: 00007f1821efba15 R09: 00007fff081413d0
R10: 00000000fffffffb R11: 0000000000000246 R12: 00007f1821efb9ee
R13: 00007fff081426b0 R14: 0000555555a89d90 R15: 0000000000000032
 </TASK>

Allocated by task 13803:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
 ____kasan_kmalloc mm/kasan/common.c:330 [inline]
 __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
 kmalloc include/linux/slab.h:580 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 btrfsic_dev_state_alloc fs/btrfs/check-integrity.c:417 [inline]
 btrfsic_mount+0x572/0x1900 fs/btrfs/check-integrity.c:2772
 open_ctree+0x3b9f/0x46ef fs/btrfs/disk-io.c:3858
 btrfs_fill_super fs/btrfs/super.c:1151 [inline]
 btrfs_mount_root.cold+0x15/0x162 fs/btrfs/super.c:1520
 legacy_get_tree+0x109/0x220 fs/fs_context.c:610
 vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
 fc_mount fs/namespace.c:1149 [inline]
 vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1179
 vfs_kern_mount+0x40/0x60 fs/namespace.c:1166
 btrfs_mount+0x23f/0x9e0 fs/btrfs/super.c:1580
 legacy_get_tree+0x109/0x220 fs/fs_context.c:610
 vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
 do_new_mount fs/namespace.c:3145 [inline]
 path_mount+0x132a/0x1e20 fs/namespace.c:3475
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount fs/namespace.c:3674 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 8047:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0xaf/0x3b0 mm/slub.c:3800
 btrfsic_dev_state_free fs/btrfs/check-integrity.c:428 [inline]
 btrfsic_unmount+0x30c/0x7c0 fs/btrfs/check-integrity.c:2824
 close_ctree+0xdba/0xe3d fs/btrfs/disk-io.c:4821
 generic_shutdown_super+0x158/0x410 fs/super.c:492
 kill_anon_super+0x3a/0x60 fs/super.c:1086
 btrfs_kill_super+0x3c/0x50 fs/btrfs/super.c:2132
 deactivate_locked_super+0x98/0x160 fs/super.c:332
 deactivate_super+0xb1/0xd0 fs/super.c:363
 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd


#KASAN not open
[   50.746259][    C1] bio_end_io(err=0) for S @65536 (loop0/65536/1)
[   50.760395][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5287936 (loop0/5287936/1)
[   50.763655][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5345280 (loop0/5345280/1)
[   50.764208][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5292032 (loop0/5292032/1)
[   50.764756][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5308416 (loop0/5308416/1)
[   50.765331][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @5255168 (loop0/5255168/1)
[   50.765924][ T7972] rem 1* link from M @6881280 (loop0/6881280/0)
to M @6885376 (loop0/6885376/0)
[   50.766607][ T7972] BUG: kernel NULL pointer dereference, address:
0000000000000008
[   50.767072][ T7972] #PF: supervisor read access in kernel mode
[   50.767415][ T7972] #PF: error_code(0x0000) - not-present page
[   50.767756][ T7972] PGD 169a2067 P4D 169a2067 PUD fa7e067 PMD 0
[   50.768201][ T7972] Oops: 0000 [#1] PREEMPT SMP
[   50.768566][ T7972] CPU: 1 PID: 7972 Comm: btrfsic_print_r Not
tainted 6.2.0-rc8-00021-ge1c04510f521 #27
[   50.769255][ T7972] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   50.769940][ T7972] RIP: 0010:btrfsic_print_rem_link+0x4e/0x69
[   50.770338][ T7972] Code: 48 8b 56 10 48 c7 c7 60 3c d7 84 4c 8b 4e
18 48 8b 4e 20 8b 6b 04 4c 8b 42 08 0f b6 d0 41 8b 43 08 50 41 ff 73
18 49 8b 43 10 <ff> 70 08 43
[   50.771696][ T7972] RSP: 0018:ffffc9000c99fd98 EFLAGS: 00010206
[   50.772120][ T7972] RAX: 0000000000000000 RBX: ffff888050c0c420
RCX: 0000000000690000
[   50.772685][ T7972] RDX: 000000000000004d RSI: ffff888048906840
RDI: ffffffff84d73c60
[   50.773210][ T7972] RBP: 0000000000000001 R08: ffff888009568000
R09: 0000000000690000
[   50.773786][ T7972] R10: 0000000000000044 R11: ffff888048906180
R12: ffff888017400000
[   50.774327][ T7972] R13: ffff888048906840 R14: ffff8880489068a0
R15: ffff8880489068a8
[   50.774886][ T7972] FS:  00000000018af880(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[   50.775492][ T7972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   50.775946][ T7972] CR2: 0000000000000008 CR3: 000000000f97c000
CR4: 00000000000006e0
[   50.776502][ T7972] Call Trace:
[   50.776757][ T7972]  <TASK>
[   50.776963][ T7972]  btrfsic_unmount.cold+0xb/0x66
[   50.777308][ T7972]  close_ctree+0x528/0x563
[   50.777633][ T7972]  ? evict_inodes+0x165/0x1c0
[   50.777957][ T7972]  generic_shutdown_super+0x78/0x120
[   50.778321][ T7972]  kill_anon_super+0xd/0x30
[   50.778661][ T7972]  btrfs_kill_super+0x11/0x20
[   50.778997][ T7972]  deactivate_locked_super+0x2b/0xa0
[   50.779356][ T7972]  cleanup_mnt+0xfb/0x150
[   50.779650][ T7972]  task_work_run+0x55/0x90
[   50.779971][ T7972]  exit_to_user_mode_prepare+0x23c/0x250
[   50.780317][ T7972]  syscall_exit_to_user_mode+0x1d/0x50
[   50.780652][ T7972]  do_syscall_64+0x46/0xb0
[   50.780912][ T7972]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.781293][ T7972] RIP: 0033:0x45388b
[   50.781553][ T7972] Code: 07 00 48 83 c4 08 5b 5d c3 66 0f 1f 44 00
00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6
00 00 00 0f 05 <48> 3d 01 f8
[   50.782794][ T7972] RSP: 002b:00007ffe01182fe8 EFLAGS: 00000206
ORIG_RAX: 00000000000000a6
[   50.783309][ T7972] RAX: 0000000000000000 RBX: 0000000000400530
RCX: 000000000045388b
[   50.783776][ T7972] RDX: 00007ffe011830c9 RSI: 000000000000000a
RDI: 00007ffe011830c0
[   50.784250][ T7972] RBP: 00007ffe011840d0 R08: 000000000049d071
R09: 00007ffe01182e80
[   50.784735][ T7972] R10: 00000000fffffffb R11: 0000000000000206
R12: 0000000000405600
[   50.785245][ T7972] R13: 0000000000000000 R14: 00000000004ce018
R15: 0000000000000000
[   50.785774][ T7972]  </TASK>
[   50.785963][ T7972] Modules linked in:
[   50.786231][ T7972] CR2: 0000000000000008
[   50.787215][ T7972] ---[ end trace 0000000000000000 ]---
[   50.787597][ T7972] RIP: 0010:btrfsic_print_rem_link+0x4e/0x69
[   50.787940][ T7972] Code: 48 8b 56 10 48 c7 c7 60 3c d7 84 4c 8b 4e
18 48 8b 4e 20 8b 6b 04 4c 8b 42 08 0f b6 d0 41 8b 43 08 50 41 ff 73
18 49 8b 43 10 <ff> 70 08 43
[   50.791030][ T7972] RSP: 0018:ffffc9000c99fd98 EFLAGS: 00010206
[   50.791456][ T7972] RAX: 0000000000000000 RBX: ffff888050c0c420
RCX: 0000000000690000
[   50.791979][ T7972] RDX: 000000000000004d RSI: ffff888048906840
RDI: ffffffff84d73c60
[   50.792510][ T7972] RBP: 0000000000000001 R08: ffff888009568000
R09: 0000000000690000
[   50.793027][ T7972] R10: 0000000000000044 R11: ffff888048906180
R12: ffff888017400000
[   50.793565][ T7972] R13: ffff888048906840 R14: ffff8880489068a0
R15: ffff8880489068a8
[   50.794083][ T7972] FS:  00000000018af880(0000)
GS:ffff88807ec00000(0000) knlGS:0000000000000000
[   50.794630][ T7972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   50.795035][ T7972] CR2: 00007f8e3403e148 CR3: 000000000f97c000
CR4: 00000000000006e0
[   50.795527][ T7972] Kernel panic - not syncing: Fatal exception
[   50.796040][ T7972] Kernel Offset: disabled
[   50.796321][ T7972] Rebooting in 86400 seconds..

The attachment is reproduced.


Regards,
 butt3rflyh4ck.



--
Active Defense Lab of Venustech

View attachment "repro.c" of type "text/x-csrc" (100887 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ