lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0c88ac3a-fc79-4209-bfbe-9e99cc329241.bugreport@ubisectech.com>
Date: Thu, 09 May 2024 10:39:42 +0800
From: "Ubisectech Sirius" <bugreport@...sectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@...r.kernel.org>,
  "linux-kernel" <linux-kernel@...r.kernel.org>
Cc: "kent.overstreet" <kent.overstreet@...ux.dev>
Subject: KASAN: slab-out-of-bounds Read in bch2_journal_entry_to_text

Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7.  Attached to the email were a PoC file of the issue.

Stack dump:

loop2: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in bch2_journal_entry_to_text+0x159/0x190 fs/bcachefs/journal_io.c:760
Read of size 1 at addr ffff888060fda004 by task syz-executor.2/11019

CPU: 0 PID: 11019 Comm: syz-executor.2 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc1/0x5e0 mm/kasan/report.c:475
 kasan_report+0xbe/0xf0 mm/kasan/report.c:588
 bch2_journal_entry_to_text+0x159/0x190 fs/bcachefs/journal_io.c:760
 bch2_sb_clean_to_text+0x11c/0x1c0 fs/bcachefs/sb-clean.c:314
 bch2_sb_field_to_text+0x1d7/0x390 fs/bcachefs/super-io.c:1194
 bch2_sb_field_validate+0x243/0x2d0 fs/bcachefs/super-io.c:1168
 bch2_sb_validate.isra.0+0x62e/0xac0 fs/bcachefs/super-io.c:489
 bch2_read_super+0x79b/0x1000 fs/bcachefs/super-io.c:823
 bch2_fs_open+0x471/0x3890 fs/bcachefs/super.c:1922
 bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x93/0x380 fs/super.c:1771
 do_new_mount fs/namespace.c:3337 [inline]
 path_mount+0x679/0x1e40 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __x64_sys_mount+0x287/0x310 fs/namespace.c:3863
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f86d8491b3e
Code: 48 c7 c0 ff ff ff ff eb aa e8 be 0d 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86d92cae38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000011a04 RCX: 00007f86d8491b3e
RDX: 0000000020011a00 RSI: 0000000020011a40 RDI: 00007f86d92cae90
RBP: 00007f86d92caed0 R08: 00007f86d92caed0 R09: 0000000003004000
R10: 0000000003004000 R11: 0000000000000202 R12: 0000000020011a00
R13: 0000000020011a40 R14: 00007f86d92cae90 R15: 0000000020000040
 </TASK>

Allocated by task 11019:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 ____kasan_kmalloc mm/kasan/common.c:333 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1007 [inline]
 __kmalloc_node_track_caller+0x5e/0xd0 mm/slab_common.c:1027
 __do_krealloc mm/slab_common.c:1395 [inline]
 krealloc+0x5e/0x110 mm/slab_common.c:1428
 bch2_sb_realloc+0x1ea/0x4c0 fs/bcachefs/super-io.c:207
 read_one_super+0x2f7/0x870 fs/bcachefs/super-io.c:670
 bch2_read_super+0x464/0x1000 fs/bcachefs/super-io.c:756
 bch2_fs_open+0x471/0x3890 fs/bcachefs/super.c:1922
 bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x93/0x380 fs/super.c:1771
 do_new_mount fs/namespace.c:3337 [inline]
 path_mount+0x679/0x1e40 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __x64_sys_mount+0x287/0x310 fs/namespace.c:3863
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77

The buggy address belongs to the object at ffff888060fd8000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4 bytes to the right of
 allocated 8192-byte region [ffff888060fd8000, ffff888060fda000)

The buggy address belongs to the physical page:
page:ffffea000183f600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60fd8
head:ffffea000183f600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x4fff00000000840(slab|head|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000840 ffff888014842280 ffffea0000a8d000 dead000000000003
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 10857, tgid 10857 (ifquery), ts 146074273695, free_ts 146007695963
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2dd/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xd38/0x2fa0 mm/page_alloc.c:3312
 __alloc_pages+0x21d/0x21f0 mm/page_alloc.c:4568
 alloc_pages_mpol+0x245/0x5f0 mm/mempolicy.c:2133
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab mm/slub.c:2017 [inline]
 new_slab+0x28f/0x3d0 mm/slub.c:2070
 ___slab_alloc+0xac4/0x1480 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x132/0x330 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc_node_track_caller+0x4e/0xd0 mm/slab_common.c:1027
 kmalloc_reserve+0xed/0x260 net/core/skbuff.c:582
 __alloc_skb+0x129/0x330 net/core/skbuff.c:651
 alloc_skb include/linux/skbuff.h:1286 [inline]
 netlink_dump+0x2d9/0xc60 net/netlink/af_netlink.c:2233
 netlink_recvmsg+0xc78/0xf10 net/netlink/af_netlink.c:1992
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x1de/0x240 net/socket.c:1068
 ____sys_recvmsg+0x216/0x670 net/socket.c:2805
 ___sys_recvmsg+0xff/0x190 net/socket.c:2847
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4cd/0xa70 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3d0 mm/page_alloc.c:2487
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x180 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x67/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:763 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x1b3/0x330 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1006 [inline]
 __kmalloc+0x4d/0xd0 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x233/0x420 security/tomoyo/file.c:822
 security_inode_getattr+0xd6/0x150 security/security.c:2153
 vfs_getattr fs/stat.c:173 [inline]
 vfs_fstat+0x4a/0xc0 fs/stat.c:198
 __do_sys_newfstat+0x7a/0xf0 fs/stat.c:473
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77

Memory state around the buggy address:
 ffff888060fd9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888060fd9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888060fda000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888060fda080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888060fda100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Thank you for taking the time to read this email and we look forward to working with you further.













Download attachment "poc.c" of type "application/octet-stream" (340105 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ