lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20240820105342.79788-1-llfamsec@gmail.com>
Date: Tue, 20 Aug 2024 18:53:42 +0800
From: lei lu <llfamsec@...il.com>
To: almaz.alexandrovich@...agon-software.com
Cc: dvyukov@...gle.com,
	keescook@...gle.com,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	lizhi.xu@...driver.com,
	ntfs3@...ts.linux.dev,
	syzbot+a426cde6dee8c2884b0b@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [ntfs3?] KASAN: slab-out-of-bounds Read in mi_enum_attr

Hi, Konstantin,

I think this patch is not fully considered. The root cause is there is a lack of
verification of the space occupied by the fixed members of attr before accessing.
In this patch, 'if (off + 8 > used)' just ensure that type and size field don't
stry beyond valid memory region without considering other members.

We can make a PoC as below to trigger out-of-bound read in 'if (!attr->non_res)',
because if the attr is the first ATTRIB, it will not call
'if (asize < SIZEOF_REDISENT)'. So 'if (off + asize < off || off + asize > used)'
is an invalid check.

PoC:
MFT_REC for MFT_REC_VOL located at: 0x660c00
  MFT_REC.rhdr.sign: 0x454c4946 (FILE)
  MFT_REC.rhdr.fix_off: 0x30
  MFT_REC.rhdr.fix_num: 0x3
  MFT_REC.rhdr.lsn: 0x10550c
  MFT_REC.seq: 0x3
  MFT_REC.hard_links: 0x1
  MFT_REC.attr_off: 0x38 --> 0x3f8
  MFT_REC.flags: 0x1
  MFT_REC.used: 0x178 --> 0x400
  MFT_REC.total: 0x400
  MFT_REC.parent_ref.low: 0x0
  MFT_REC.parent_ref.high: 0x0
  MFT_REC.parent_ref.seq: 0x0
  MFT_REC.next_attr_id: 0x6
  MFT_REC.res: 0x0
  MFT_REC.mft_record: 0x3
ATTRIB[0] located at: 0x660ff8
  ATTRIB[0].type: 0x0 --> 0x10
  ATTRIB[0].size: 0x20000 --> 0x8

KASAN report:
[  611.082411] ==================================================================
[  611.082411] BUG: KASAN: slab-out-of-bounds in mi_enum_attr+0x762/0x810
[  611.082411] Read of size 1 at addr ffff88810e853c00 by task mount/298
[  611.082411]
[  611.082411] CPU: 1 PID: 298 Comm: mount Not tainted 6.8.2 #2
[  611.082411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[  611.082411] Call Trace:
[  611.082411]  <TASK>
[  611.082411]  dump_stack_lvl+0x50/0x70
[  611.082411]  print_report+0xcc/0x620
[  611.082411]  ? __virt_addr_valid+0xcb/0x320
[  611.082411]  ? mi_enum_attr+0x762/0x810
[  611.082411]  kasan_report+0xb0/0xe0
[  611.082411]  ? mi_enum_attr+0x762/0x810
[  611.082411]  mi_enum_attr+0x762/0x810
[  611.082411]  ni_enum_attr_ex+0x2fc/0x3e0
[  611.082411]  ? ntfs_read_bh+0x48/0xa0
[  611.082411]  ? __pfx_ni_enum_attr_ex+0x10/0x10
[  611.082411]  ? mi_read+0x32b/0x540
[  611.082411]  ntfs_iget5+0x86c/0x2dc0
[  611.082411]  ? __pfx_ntfs_iget5+0x10/0x10
[  611.082411]  ? __brelse+0x7c/0xa0
[  611.082411]  ntfs_fill_super+0x1686/0x3c00
[  611.082411]  ? __pfx_ntfs_fill_super+0x10/0x10
[  611.082411]  ? set_blocksize+0xbe/0x3a0
[  611.082411]  ? set_blocksize+0x28c/0x3a0
[  611.082411]  ? sb_set_blocksize+0xde/0x110
[  611.082411]  ? setup_bdev_super+0x331/0x690
[  611.082411]  get_tree_bdev+0x32b/0x590
[  611.082411]  ? __pfx_ntfs_fill_super+0x10/0x10
[  611.082411]  ? __pfx_get_tree_bdev+0x10/0x10
[  611.082411]  ? __pfx_vfs_parse_fs_string+0x10/0x10
[  611.082411]  ? cap_capable+0x199/0x200
[  611.082411]  ? security_capable+0x8d/0xc0
[  611.082411]  vfs_get_tree+0x8c/0x300
[  611.082411]  path_mount+0x507/0x1a30
[  611.082411]  ? sysvec_apic_timer_interrupt+0xf/0x80
[  611.082411]  ? __pfx_path_mount+0x10/0x10
[  611.082411]  __x64_sys_mount+0x23b/0x2d0
[  611.082411]  ? __pfx___x64_sys_mount+0x10/0x10
[  611.082411]  ? __do_softirq+0x18a/0x575
[  611.082411]  do_syscall_64+0xb3/0x1b0
[  611.082411]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[  611.082411] RIP: 0033:0x7f2d7417566a
[  611.082411] Code: 48 8b 0d 29 18 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 8
[  611.082411] RSP: 002b:00007fff27f71598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[  611.082411] RAX: ffffffffffffffda RBX: 00007f2d742a9264 RCX: 00007f2d7417566a
[  611.082411] RDX: 000055ec2ff0cf80 RSI: 000055ec2ff0cfc0 RDI: 000055ec2ff0cfa0
[  611.082411] RBP: 000055ec2ff0cd50 R08: 0000000000000000 R09: 00007f2d74247be0
[  611.082411] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  611.082411] R13: 000055ec2ff0cfa0 R14: 000055ec2ff0cf80 R15: 000055ec2ff0cd50
[  611.082411]  </TASK>
[  611.082411]
[  611.082411] Allocated by task 298:
[  611.082411]  kasan_save_stack+0x24/0x50
[  611.082411]  kasan_save_track+0x14/0x30
[  611.082411]  __kasan_kmalloc+0x7f/0x90
[  611.082411]  __kmalloc+0x179/0x370
[  611.082411]  mi_init+0x90/0x100
[  611.082411]  ntfs_iget5+0x3d1/0x2dc0
[  611.082411]  ntfs_fill_super+0x1686/0x3c00
[  611.082411]  get_tree_bdev+0x32b/0x590
[  611.082411]  vfs_get_tree+0x8c/0x300
[  611.082411]  path_mount+0x507/0x1a30
[  611.082411]  __x64_sys_mount+0x23b/0x2d0
[  611.082411]  do_syscall_64+0xb3/0x1b0
[  611.082411]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[  611.082411]
[  611.082411] The buggy address belongs to the object at ffff88810e853800
[  611.082411]  which belongs to the cache kmalloc-1k of size 1024
[  611.082411] The buggy address is located 0 bytes to the right of
[  611.082411]  allocated 1024-byte region [ffff88810e853800, ffff88810e853c00)
[  611.082411]
[  611.082411] The buggy address belongs to the physical page:
[  611.082411] page:00000000a08f2d1e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e850
[  611.082411] head:00000000a08f2d1e order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  611.082411] flags: 0x200000000000840(slab|head|node=0|zone=2)
[  611.082411] page_type: 0xffffffff()
[  611.082411] raw: 0200000000000840 ffff888100041dc0 dead000000000122 0000000000000000
[  611.082411] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  611.082411] page dumped because: kasan: bad access detected
[  611.082411]
[  611.082411] Memory state around the buggy address:
[  611.082411]  ffff88810e853b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  611.082411]  ffff88810e853b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  611.082411] >ffff88810e853c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  611.082411]                    ^
[  611.082411]  ffff88810e853c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  611.082411]  ffff88810e853d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  611.082411] ==================================================================

Thanks,
LL

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ