[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006fc0fb-3ae3-418d-8d5a-a9a282ea3250.bugreport@ubisectech.com>
Date: Tue, 09 Jan 2024 14:18:12 +0800
From: "Ubisectech Sirius" <bugreport@...sectech.com>
To: "linux-kernel" <linux-kernel@...r.kernel.org>,
"linux-trace-kernel" <linux-trace-kernel@...r.kernel.org>,
"linux-fsdevel" <linux-fsdevel@...r.kernel.org>
Subject: KASAN: null-ptr-deref Read in hfs_find_init
Dear concerned.
Greetings!
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7.0-g0dd3ee311255. Attached to the email were a POC file of the issue and a configuration my Linux kernel.
Stack dump:
[ 191.738375][ T8033] ==================================================================
[ 191.739640][ T8033] BUG: KASAN: null-ptr-deref in hfs_find_init (fs/hfs/bfind.c:21)
[ 191.740705][ T8033] Read of size 4 at addr 0000000000000040 by task poc/8033
[ 191.741826][ T8033]
[ 191.742206][ T8033] CPU: 0 PID: 8033 Comm: poc Not tainted 6.7.0-g0dd3ee311255 #6
[ 191.743443][ T8033] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 191.744820][ T8033] Call Trace:
[ 191.745330][ T8033] <TASK>
[ 191.745779][ T8033] dump_stack_lvl (lib/dump_stack.c:107)
[ 191.746508][ T8033] ? hfs_find_init (fs/hfs/bfind.c:21)
[ 191.747250][ T8033] kasan_report (mm/kasan/report.c:590)
[ 191.747945][ T8033] ? hfs_find_init (fs/hfs/bfind.c:21)
[ 191.748714][ T8033] hfs_find_init (fs/hfs/bfind.c:21)
[ 191.749426][ T8033] hfs_ext_read_extent (fs/hfs/extent.c:201)
[ 191.750221][ T8033] ? hfs_free_extents (fs/hfs/extent.c:192)
[ 191.750999][ T8033] ? lock_downgrade (kernel/locking/lockdep.c:5762)
[ 191.751799][ T8033] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:113)
[ 191.752614][ T8033] ? spin_bug (kernel/locking/spinlock_debug.c:113)
[ 191.753284][ T8033] ? folio_flags.constprop.0 (./include/linux/page-flags.h:316)
[ 191.754148][ T8033] hfs_get_block (fs/hfs/extent.c:367)
[ 191.754885][ T8033] block_read_full_folio (fs/buffer.c:2400 (discriminator 3))
[ 191.755744][ T8033] ? hfs_extend_file (fs/hfs/extent.c:338)
[ 191.756541][ T8033] ? decrypt_bh (fs/buffer.c:2363)
[ 191.757246][ T8033] ? folio_flags (./include/linux/page-flags.h:315)
[ 191.757956][ T8033] ? preempt_count_sub (kernel/sched/core.c:5865)
[ 191.758721][ T8033] ? hfs_bmap (fs/hfs/inode.c:38)
[ 191.759375][ T8033] filemap_read_folio (mm/filemap.c:2323)
[ 191.760194][ T8033] ? __folio_lock_killable (mm/filemap.c:2308)
[ 191.761077][ T8033] ? __filemap_get_folio (mm/filemap.c:1948)
[ 191.761895][ T8033] do_read_cache_folio (mm/filemap.c:3701)
[ 191.762665][ T8033] ? hfs_bmap (fs/hfs/inode.c:38)
[ 191.763318][ T8033] read_cache_page (mm/filemap.c:3767 mm/filemap.c:3775)
[ 191.764085][ T8033] hfs_btree_open (fs/hfs/btree.c:79)
[ 191.764846][ T8033] hfs_mdb_get (fs/hfs/mdb.c:199)
[ 191.765534][ T8033] ? hfs_mdb_put (fs/hfs/mdb.c:74)
[ 191.766237][ T8033] ? lockdep_init_map_type (kernel/locking/lockdep.c:4903)
[ 191.767104][ T8033] ? lockdep_init_map_type (kernel/locking/lockdep.c:4903)
[ 191.767942][ T8033] hfs_fill_super (fs/hfs/super.c:407)
[ 191.768668][ T8033] ? hfs_remount (fs/hfs/super.c:379)
[ 191.769392][ T8033] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4993)
[ 191.770338][ T8033] ? pointer (lib/vsprintf.c:2755)
[ 191.771040][ T8033] ? preempt_count_sub (kernel/sched/core.c:5865)
[ 191.771871][ T8033] ? __down_write_common (./arch/x86/include/asm/preempt.h:104 kernel/locking/rwsem.c:1309)
[ 191.772739][ T8033] ? up_write (kernel/locking/rwsem.c:1301)
[ 191.773454][ T8033] ? lock_sync (kernel/locking/lockdep.c:5722)
[ 191.774144][ T8033] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:113)
[ 191.775034][ T8033] ? mount_bdev (fs/super.c:1651)
[ 191.775780][ T8033] mount_bdev (fs/super.c:1651)
[ 191.776466][ T8033] ? hfs_remount (fs/hfs/super.c:379)
[ 191.777215][ T8033] ? sget (fs/super.c:1620)
[ 191.777886][ T8033] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2633)
[ 191.778798][ T8033] ? hfs_statfs (fs/hfs/super.c:455)
[ 191.779570][ T8033] legacy_get_tree (fs/fs_context.c:664)
[ 191.780333][ T8033] vfs_get_tree (fs/super.c:1772)
[ 191.781085][ T8033] path_mount (fs/namespace.c:3338 fs/namespace.c:3664)
[ 191.781792][ T8033] ? putname (fs/namei.c:275)
[ 191.782462][ T8033] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4423)
[ 191.783283][ T8033] ? finish_automount (fs/namespace.c:3591)
[ 191.784087][ T8033] ? lock_release (kernel/locking/lockdep.c:5459 kernel/locking/lockdep.c:5774)
[ 191.784813][ T8033] ? putname (fs/namei.c:275)
[ 191.785462][ T8033] __x64_sys_mount (fs/namespace.c:3678 fs/namespace.c:3886 fs/namespace.c:3863 fs/namespace.c:3863)
[ 191.786259][ T8033] ? copy_mnt_ns (fs/namespace.c:3863)
[ 191.787008][ T8033] ? syscall_enter_from_user_mode (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/entry/common.c:111)
[ 191.787915][ T8033] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 191.788628][ T8033] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 191.789535][ T8033] RIP: 0033:0x7fe79c66862a
[ 191.790198][ T8033] Code: 48 8b 0d 69 18 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 36 18 0d 00 f7 d8 64 89 01 48
All code
========
0: 48 8b 0d 69 18 0d 00 mov 0xd1869(%rip),%rcx # 0xd1870
7: f7 d8 neg %eax
9: 64 89 01 mov %eax,%fs:(%rcx)
c: 48 83 c8 ff or $0xffffffffffffffff,%rax
10: c3 ret
11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
18: 00 00 00
1b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
20: 49 89 ca mov %rcx,%r10
23: b8 a5 00 00 00 mov $0xa5,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 36 18 0d 00 mov 0xd1836(%rip),%rcx # 0xd1870
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 36 18 0d 00 mov 0xd1836(%rip),%rcx # 0xd1846
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 191.793168][ T8033] RSP: 002b:00007ffc3233e668 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 191.794462][ T8033] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe79c66862a
[ 191.795715][ T8033] RDX: 0000000020000040 RSI: 0000000020000140 RDI: 00007ffc3233e7a0
[ 191.796999][ T8033] RBP: 00007ffc3233e830 R08: 00007ffc3233e6a0 R09: 0000000000000000
[ 191.798223][ T8033] R10: 0000000002810880 R11: 0000000000000202 R12: 0000558b4a72f250
[ 191.799492][ T8033] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 191.800747][ T8033] </TASK>
[ 191.801242][ T8033] ==================================================================
Thank you for taking the time to read this email and we look forward to working with you further.
Ubisectech Sirius Team
Web: www.ubisectech.com
Email: bugreport@...sectech.com
Content of type "text/html" skipped
Download attachment "横板竖版组合LOGO_画板 1.png" of type "application/octet-stream" (21479 bytes)
Download attachment "poc.c" of type "application/octet-stream" (18432 bytes)
Download attachment ".config" of type "application/octet-stream" (245084 bytes)
Powered by blists - more mailing lists