[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0c88ac3a-fc79-4209-bfbe-9e99cc329241.bugreport@ubisectech.com>
Date: Thu, 09 May 2024 10:39:42 +0800
From: "Ubisectech Sirius" <bugreport@...sectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@...r.kernel.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>
Cc: "kent.overstreet" <kent.overstreet@...ux.dev>
Subject: KASAN: slab-out-of-bounds Read in bch2_journal_entry_to_text
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop2: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in bch2_journal_entry_to_text+0x159/0x190 fs/bcachefs/journal_io.c:760
Read of size 1 at addr ffff888060fda004 by task syz-executor.2/11019
CPU: 0 PID: 11019 Comm: syz-executor.2 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc1/0x5e0 mm/kasan/report.c:475
kasan_report+0xbe/0xf0 mm/kasan/report.c:588
bch2_journal_entry_to_text+0x159/0x190 fs/bcachefs/journal_io.c:760
bch2_sb_clean_to_text+0x11c/0x1c0 fs/bcachefs/sb-clean.c:314
bch2_sb_field_to_text+0x1d7/0x390 fs/bcachefs/super-io.c:1194
bch2_sb_field_validate+0x243/0x2d0 fs/bcachefs/super-io.c:1168
bch2_sb_validate.isra.0+0x62e/0xac0 fs/bcachefs/super-io.c:489
bch2_read_super+0x79b/0x1000 fs/bcachefs/super-io.c:823
bch2_fs_open+0x471/0x3890 fs/bcachefs/super.c:1922
bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863
legacy_get_tree+0x109/0x220 fs/fs_context.c:662
vfs_get_tree+0x93/0x380 fs/super.c:1771
do_new_mount fs/namespace.c:3337 [inline]
path_mount+0x679/0x1e40 fs/namespace.c:3664
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount fs/namespace.c:3863 [inline]
__x64_sys_mount+0x287/0x310 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f86d8491b3e
Code: 48 c7 c0 ff ff ff ff eb aa e8 be 0d 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86d92cae38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000011a04 RCX: 00007f86d8491b3e
RDX: 0000000020011a00 RSI: 0000000020011a40 RDI: 00007f86d92cae90
RBP: 00007f86d92caed0 R08: 00007f86d92caed0 R09: 0000000003004000
R10: 0000000003004000 R11: 0000000000000202 R12: 0000000020011a00
R13: 0000000020011a40 R14: 00007f86d92cae90 R15: 0000000020000040
</TASK>
Allocated by task 11019:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
____kasan_kmalloc mm/kasan/common.c:333 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node_track_caller+0x5e/0xd0 mm/slab_common.c:1027
__do_krealloc mm/slab_common.c:1395 [inline]
krealloc+0x5e/0x110 mm/slab_common.c:1428
bch2_sb_realloc+0x1ea/0x4c0 fs/bcachefs/super-io.c:207
read_one_super+0x2f7/0x870 fs/bcachefs/super-io.c:670
bch2_read_super+0x464/0x1000 fs/bcachefs/super-io.c:756
bch2_fs_open+0x471/0x3890 fs/bcachefs/super.c:1922
bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863
legacy_get_tree+0x109/0x220 fs/fs_context.c:662
vfs_get_tree+0x93/0x380 fs/super.c:1771
do_new_mount fs/namespace.c:3337 [inline]
path_mount+0x679/0x1e40 fs/namespace.c:3664
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount fs/namespace.c:3863 [inline]
__x64_sys_mount+0x287/0x310 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
The buggy address belongs to the object at ffff888060fd8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4 bytes to the right of
allocated 8192-byte region [ffff888060fd8000, ffff888060fda000)
The buggy address belongs to the physical page:
page:ffffea000183f600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60fd8
head:ffffea000183f600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x4fff00000000840(slab|head|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000840 ffff888014842280 ffffea0000a8d000 dead000000000003
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 10857, tgid 10857 (ifquery), ts 146074273695, free_ts 146007695963
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2dd/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xd38/0x2fa0 mm/page_alloc.c:3312
__alloc_pages+0x21d/0x21f0 mm/page_alloc.c:4568
alloc_pages_mpol+0x245/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x28f/0x3d0 mm/slub.c:2070
___slab_alloc+0xac4/0x1480 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x132/0x330 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0x4e/0xd0 mm/slab_common.c:1027
kmalloc_reserve+0xed/0x260 net/core/skbuff.c:582
__alloc_skb+0x129/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_dump+0x2d9/0xc60 net/netlink/af_netlink.c:2233
netlink_recvmsg+0xc78/0xf10 net/netlink/af_netlink.c:1992
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x1de/0x240 net/socket.c:1068
____sys_recvmsg+0x216/0x670 net/socket.c:2805
___sys_recvmsg+0xff/0x190 net/socket.c:2847
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x4cd/0xa70 mm/page_alloc.c:2347
free_unref_page+0x33/0x3d0 mm/page_alloc.c:2487
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x180 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x67/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x1b3/0x330 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x4d/0xd0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x233/0x420 security/tomoyo/file.c:822
security_inode_getattr+0xd6/0x150 security/security.c:2153
vfs_getattr fs/stat.c:173 [inline]
vfs_fstat+0x4a/0xc0 fs/stat.c:198
__do_sys_newfstat+0x7a/0xf0 fs/stat.c:473
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
Memory state around the buggy address:
ffff888060fd9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888060fd9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888060fda000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888060fda080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888060fda100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Thank you for taking the time to read this email and we look forward to working with you further.
Download attachment "poc.c" of type "application/octet-stream" (340105 bytes)
Powered by blists - more mailing lists