lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <7BCBA139-3942-436A-B7B1-72EDDE51072F@m.fudan.edu.cn>
Date: Thu, 26 Dec 2024 13:30:33 +0800
From: Kun Hu <huk23@...udan.edu.cn>
To: akpm@...ux-foundation.org
Cc: linux-kernel@...r.kernel.org,
 "jjtan24@...udan.edu.cn" <jjtan24@...udan.edu.cn>
Subject: Bug: slab-out-of-bounds Read in hfsplus_bnode_read

Hello,

When using fuzzer tool to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
git tree: upstream
Console output: https://drive.google.com/file/d/15-pUlAQaNa1apmm9gsDSsfzdkcTYtmVN/view?usp=drive_link
Kernel config: https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1TUgttZR9cp21RgHqhzQiRlGnafQ9SLIj/view?usp=sharing
Syzlang reproducer: https://drive.google.com/file/d/1v3qlPSNRIWP5fPyInSHsjo5f2g8sGA-i/view?usp=sharing


This bug seems to have been reported and fixed in the old kernel, which seems to be a regression issue? If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@...udan.edu.cn>

==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0xd6/0xe0 lib/crc-itu-t.c:60
Read of size 1 at addr ff11000013290000 by task syz-executor243/419

CPU: 2 UID: 0 PID: 419 Comm: syz-executor243 Not tainted 6.13.0-rc3 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcf/0x5f0 mm/kasan/report.c:489
 kasan_report+0x93/0xc0 mm/kasan/report.c:602
 crc_itu_t+0xd6/0xe0 lib/crc-itu-t.c:60
 udf_finalize_lvid+0xe0/0x1e0 fs/udf/super.c:2039
 udf_sync_fs+0xee/0x160 fs/udf/super.c:2384
 sync_filesystem fs/sync.c:56 [inline]
 sync_filesystem+0x110/0x2a0 fs/sync.c:30
 generic_shutdown_super+0x74/0x380 fs/super.c:621
 kill_block_super+0x3b/0x90 fs/super.c:1710
 deactivate_locked_super+0xbb/0x130 fs/super.c:473
 deactivate_super fs/super.c:506 [inline]
 deactivate_super+0xb1/0xd0 fs/super.c:502
 cleanup_mnt+0x378/0x510 fs/namespace.c:1373
 task_work_run+0x173/0x280 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xa68/0x2fe0 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 __do_sys_exit_group kernel/exit.c:1098 [inline]
 __se_sys_exit_group kernel/exit.c:1096 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
 x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa75df2f5a6
Code: Unable to access opcode bytes at 0x7fa75df2f57c.
RSP: 002b:00007ffe768a10b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa75dfb52d0 RCX: 00007fa75df2f5a6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 00007fa75dfb3720 R11: 0000000000000246 R12: 00007fa75dfb52d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x219 pfn:0x13290
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 ffd40000004ccbc8 ffd40000004ca448 0000000000000000
raw: 0000000000000219 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ff1100001328ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ff1100001328ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff11000013290000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ff11000013290080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ff11000013290100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: unable to handle page fault for address: ffe21c001864e9b8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7fdd7067 P4D 7fdd6067 PUD 7fdd5067 PMD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 419 Comm: syz-executor243 Tainted: G    B              6.13.0-rc3 #3
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:udf_close_lvid+0x136/0x5e0 fs/udf/super.c:2090
Code: 8d 83 c0 00 00 00 31 f6 48 89 c7 48 89 44 24 08 e8 1f 68 92 06 49 8d 7f 18 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 14 11 48 89 f9 83 e1 07 38 ca 7f 08 84 d2 0f 85 ca 03 00 00
RSP: 0018:ffa0000003747bf0 EFLAGS: 00010216
RAX: 0000000000000000 RBX: ff11000008f94000 RCX: 1fe220001864e9b8
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: ff110000c3274dc0
RBP: ff110000120cd570 R08: 0000000000000000 R09: fffffbfff33379c3
R10: ffa0000003747bf0 R11: ffffffff999bce17 R12: ff1100000b5d4000
R13: ff11000013280400 R14: 0000000000000000 R15: ff110000c3274da8
FS:  0000000000000000(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffe21c001864e9b8 CR3: 00000000376f0002 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
 <TASK>
 udf_put_super+0x186/0x1e0 fs/udf/super.c:2366
 generic_shutdown_super+0x14e/0x380 fs/super.c:642
 kill_block_super+0x3b/0x90 fs/super.c:1710
 deactivate_locked_super+0xbb/0x130 fs/super.c:473
 deactivate_super fs/super.c:506 [inline]
 deactivate_super+0xb1/0xd0 fs/super.c:502
 cleanup_mnt+0x378/0x510 fs/namespace.c:1373
 task_work_run+0x173/0x280 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xa68/0x2fe0 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 __do_sys_exit_group kernel/exit.c:1098 [inline]
 __se_sys_exit_group kernel/exit.c:1096 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
 x64_sys_call+0xf6a/0x1890 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa75df2f5a6
Code: Unable to access opcode bytes at 0x7fa75df2f57c.
RSP: 002b:00007ffe768a10b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa75dfb52d0 RCX: 00007fa75df2f5a6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 00007fa75dfb3720 R11: 0000000000000246 R12: 00007fa75dfb52d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
Modules linked in:
CR2: ffe21c001864e9b8
---[ end trace 0000000000000000 ]---
RIP: 0010:udf_close_lvid+0x136/0x5e0 fs/udf/super.c:2090
Code: 8d 83 c0 00 00 00 31 f6 48 89 c7 48 89 44 24 08 e8 1f 68 92 06 49 8d 7f 18 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <0f> b6 14 11 48 89 f9 83 e1 07 38 ca 7f 08 84 d2 0f 85 ca 03 00 00
RSP: 0018:ffa0000003747bf0 EFLAGS: 00010216
RAX: 0000000000000000 RBX: ff11000008f94000 RCX: 1fe220001864e9b8
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: ff110000c3274dc0
RBP: ff110000120cd570 R08: 0000000000000000 R09: fffffbfff33379c3
R10: ffa0000003747bf0 R11: ffffffff999bce17 R12: ff1100000b5d4000
R13: ff11000013280400 R14: 0000000000000000 R15: ff110000c3274da8
FS:  0000000000000000(0000) GS:ff1100006a200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffe21c001864e9b8 CR3: 00000000376f0002 CR4: 0000000000771ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:	8d 83 c0 00 00 00    	lea    0xc0(%rbx),%eax
   6:	31 f6                	xor    %esi,%esi
   8:	48 89 c7             	mov    %rax,%rdi
   b:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  10:	e8 1f 68 92 06       	callq  0x6926834
  15:	49 8d 7f 18          	lea    0x18(%r15),%rdi
  19:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  20:	fc ff df
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	0f b6 14 11          	movzbl (%rcx,%rdx,1),%edx <-- trapping instruction
  2e:	48 89 f9             	mov    %rdi,%rcx
  31:	83 e1 07             	and    $0x7,%ecx
  34:	38 ca                	cmp    %cl,%dl
  36:	7f 08                	jg     0x40
  38:	84 d2                	test   %dl,%dl
  3a:	0f 85 ca 03 00 00    	jne    0x40a



——————
Thanks,
Kun Hu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ